Hi I got the input string as below
" Object update sweep completed on /srv/node/d3 in 0.00s seconds:, 0 successes, 0 failures, 0 quarantines, 0 unlinks, 0 errors (pid: 26739)"
And my grok pattern is as below.
grok {
Why I get _grokparsefailure always ?
I got other similar grok pattern but those doesn't have _grokparsefailure .
Thanks,
Any other grok filter in your configuration? Perhaps in another file in /etc/logstash/conf.d or wherever you keep your configuration files?
I think you might need to escape your brackets in the match.
grok {
match => { "message" => " Object update sweep completed on %{URIPATHPARAM:UpdSweepPath} in %{NUMBER:UpdSPRunTime:float}s seconds:, %{BASE10NUM:UpdSPNumOfSuc} successes, %{BASE10NUM:UpdSPNumOfFail} failures, %{BASE10NUM:UpdSPNumOfQuaranties} quarantines, %{BASE10NUM:UpdSPNumOfUnlink} unlinks, %{BASE10NUM:UpdSPNumOfErr} errors \(pid: %{WORD:UpdSPPID}\)" }
remove_tag => ["_grokparsefailure"]
add_tag => ["OBJ_UPD_SWEEPPARTITON_COMPLETE"]
}
specifically errors \(pid: %{WORD:UpdSPPID}\)"
@magnusbaeck , Thanks ! You are totally correct, I rename original filter with *.orig as backup. After I move to another folder the _grokparsefailure gone.
@stevesimpson , Thanks for your info, I did escape \( ... \) in my filter but looks like \ escape in message text if I am not use Preformatted text.
e.g w/o preformatted text
e.g w/ preformatted text\(pid: %{WORD:UpdSPPID}\)
system
March 22, 2018, 3:56pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.