Grokparsefailure on logstash

srk1 · May 14, 2021, 4:31pm

Hi ES users, i'm trying to send a simple log using filebeat on to ES via logstash and i'm experiencing grokparsefailure errors on kibana. Can someone please assist on what type of grok filter needs to be used? Below is the file i'm trying to input via filebeat.
CreateTime:1621009744368 PING
CreateTime:1621009748711 PING
CreateTime:1621009753392 PING
CreateTime:1621009757660 PING
CreateTime:1621009761982 PING
CreateTime:1621009766368 PING
CreateTime:1621009770798 PING
CreateTime:1621009775271 PING

Thanks,
SRK

Badger · May 14, 2021, 4:34pm

What does your grok filter configuration look like?

srk1 · May 14, 2021, 5:08pm

Hi Badger,
Following is the grok filter for existing file and the one i shared earlier is the new file without any grok.

filter{
grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:log-timestamp}] %{LOGLEVEL:log-level} %{GREEDYDATA:log-message}" }
}
mutate {
remove_field => [ "message" ]
}
}
Thanks,
SRK

Badger · May 14, 2021, 5:51pm

That pattern in no way matches the example log entry you gave. It has a timestamp in milliseconds since the epoch, not an ISO8601 timestamp, it does not have square brackets, it does not have a LOGLEVEL. It is just completely the wrong pattern.

srk1 · May 14, 2021, 6:08pm

Yes, that's what i am trying to show. That pattern is for existing log input file but i just added the new log output that i shared earlier and i want to know what grok pattern fits for the new log entry.

Thanks,
SRK.

srk1 · May 18, 2021, 5:25am

Hi Badger,
I am trying to get the correct grok filter for the below line:
CreateTime:1621314039222 PING

grok {
match => { "message" => "%{GREEDYDATA:time}:%{NUMBER:timestamp} %{SPACE} %{GREEDYDATA:message}"
}

Can you please correct it?

Thanks,
SRK

Badger · May 18, 2021, 1:03pm

You have spaces around %{SPACE} so that pattern will require at least two spaces in the [message] field. Remove the spaces.

srk1 · May 18, 2021, 3:36pm

HI, I tried removing the spaces but looks like not working. Do you mind giving me the right format? Thanks and appreciate your help.

Badger · May 18, 2021, 5:12pm

I would expect

"%{GREEDYDATA:time}:%{NUMBER:timestamp}%{SPACE}%{GREEDYDATA:message}"

to match.

system · June 15, 2021, 5:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure while creating field using grok filter Logstash	6	314	November 20, 2019
Grok timestamp (can't match pattern) Logstash	2	304	March 15, 2021
Logstash/Grok help Logstash	5	429	May 31, 2017
New fields not being created and grok help Logstash	6	3221	July 6, 2017
Logstash _grokparsefailure Logstash	1	515	October 10, 2018

Grokparsefailure on logstash

Related topics