Grokparsefailure

yuswanul · July 3, 2024, 11:04am

Hi there,

i'm trying to use grok pattern here and as you can see my pattern is already match the log

but when I see in kibana, idk why the tags always show _grokparsefailure

this is my code in pipeline

if [kubernetes][namespace] in ["ff-rr"]{
grok {
  match => ["message", "%{WORD:type}:\s+(?<data_customer>%{WORD}\s+%{WORD}):\s+%{GREEDYDATA:bodydata}"]
 }
json {
  source => "bodydata"
  skip_on_invalid_json => true
 }
}

what should I do? no character needs to escape in my grok pattern

Thanks

leandrojmp · July 3, 2024, 11:44am

Please share the result message you are getting in Kibana.

Go to discover, find a document where you have this tag, expand it, then go to the json tab and copy the content.

yuswanul · July 3, 2024, 11:55am

here is the value:

"message": "Response: LINK CUSTOMER: {\"responseCode\":\"xx\",\"responseDesc\":\"Blokir \\/ Tidak \",\"data\":null}",

leandrojmp · July 3, 2024, 12:05pm

You need to share the entire document you have in Elasticsearch.

yuswanul · July 3, 2024, 12:08pm

it's a production data. i need to take some time to masking it or if you can tell me what part you exactly want to see

leandrojmp · July 3, 2024, 12:20pm

Share the kubernetes fields, also share your entire logstash pipeline.

It is pretty hard to troubleshoot things without more context like the entire pipeline and what is the real output.

From what you share I see no issue in the grok filter you are using, it worked for me, so it may have something wrong with your pipeline, or maybe it is not matching the conditional you are using.

What is the source of data?

yuswanul · July 3, 2024, 12:26pm

idk why is this happen. when i change this line
from:

if [kubernetes][namespace] in ["ff-rr"]{

to:

if [kubernetes][namespace] == "ff-rr" {

it looks work. i tested it before on my local environment using first line, it works well. but when i apply it in production, it's not working. is there any difference between them?

Badger · July 3, 2024, 12:35pm

Yes, you cannot use in to test membership of an array with one member. It is parsed as a field reference, so logstash is testing the (non-existent) field ["ff-rr"] and the expression evaluates to false. It's very hard to fix this. It is tracked here.

yuswanul · July 4, 2024, 5:59am

ok, thanks for the info. i'll remember that

Topic		Replies	Views
_grokparsefailure but it works fine in dubugger Logstash	20	999	April 20, 2018
Help with grok filter on ingest pipeline Kibana	5	329	February 13, 2023
_grokparsefailure but grok debugger looks good Logstash	18	2790	August 19, 2021
Help with parsing Kaspersky logs Logstash	2	2917	February 9, 2018
Logstash Grok Pattern Not Working(Regex) Logstash	5	311	January 31, 2023

Grokparsefailure

Related Topics