_grokparsefailure in tags. Not able to change the format of the log

HI team,

Your help is greatly appreciated. I am stuck with this issue from two days.

I am dumping the logs through a cloud floundary on port 5000 and my log stash is listening to 5000. I have a simple filter in my config which is showing grogparsefailure on kibana. When i tried with online grok debugger it's working fine. Not sure what to change in my filter. Can anyone help me in getting out of the issue.

here is my log file..

2017-10-10T09:54:22.827-04:00 [APP/PROC/WEB/0] [OUT] 2017-10-10 13:54:22.827 INFO 14 --- [nio-8080-exec-8] c.c.m.r.s.RosterCountService : data in the list

here is my grok filter...

%{TIMESTAMP_ISO8601:timestamp}%{SPACE}[%{WORD:log_type}/%{WORD:service_info}/%{WORD:service_info}/%{WORD:service_info}]%{SPACE}[%{WORD:stage}]%{SPACE}%{NOTSPACE:addi_time_info}%{SPACE}%{NOTSPACE:addi_time_info}%{SPACE}%{LOGLEVEL:log_level}%{SPACE}%{NUMBER:log_level_num}%{SPACE}---%{SPACE}%{GREEDYDATA:logged_message}

Have you tried to escape the brackets using a backslash?

I tried the following grok filter doing this and it worked in the Grok Debugger on the 5.6.2 Kibana with X-Pack.

%{TIMESTAMP_ISO8601:timestamp}%{SPACE}\[%{WORD:log_type}/%{WORD:service_info_1}/%{WORD:service_info_2}/%{WORD:service_info_3}\]%{SPACE}\[%{WORD:stage}\]%{SPACE}%{TIMESTAMP_ISO8601:addi_time_info}%{SPACE}%{WORD:log_level}%{SPACE}%{INT:log_level_num}%{SPACE}---%{SPACE}%{GREEDYDATA:logged_message}

Also, you had duplicated field names, the service_info appears three time in your grok filter.

elk-forum-01.png1358×583 62.6 KB

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.