GrokPraseFailure - JSON log - Success on Grokdebugger

Athul_Devkar · September 27, 2021, 9:18pm

I am facing issues while trying to parse this log. I have tried multiple options but nothing seems to work. No error message in the logs, except for this _grokprasefailure tag in the records. Can you please help with what I am missing here?
When I try it in GrokDebugger, it works all fine.

Any help is appreciated.

Auto route reason : {"opportunityId":"0042f00000Kttt","accountNumber":"999999999999999","agId":"0051H0001111IWYqTTT","division":"US","errorCode":"EC-109","errorName":"GetDetails Not Found","errorDescription":"SiteDetails Not Found"}

filter {
      
    json {
        source => message
        add_field => {
            "region" => "us-east-1"
        }
    }
	if [message] =~ /Auto route reason/ {
		grok {
			match => {"message" =>'%{CISCO_REASON} : {"opportunityId":"%{DATA:opportunityId}",%{GREEDYDATA:Greedymessage}}'}
        }
    }
}

Badger · September 27, 2021, 9:52pm

input { generator { count => 1 lines => [ 'Auto route reason : {"opportunityId":"0042f00000Kttt","accountNumber":"999999999999999","agId":"0051H0001111IWYqTTT","division":"US","errorCode":"EC-109","errorName":"GetDetails Not Found","errorDescription":"SiteDetails Not Found"}' ] } }
filter {
    if [message] =~ /Auto route reason/ {
        grok { match => {"message" =>'%{CISCO_REASON} : {"opportunityId":"%{DATA:opportunityId}",%{GREEDYDATA:Greedymessage}}'} }
    }
}

This works fine for me

"opportunityId" => "0042f00000Kttt",
"Greedymessage" => "\"accountNumber\":\"999999999999999\",\"agId\":\"0051H0001111IWYqTTT\",\"division\":\"US\",\"errorCode\":\"EC-109\",\"errorName\":\"GetDetails Not Found\",\"errorDescription\":\"SiteDetails Not Found\"",

Athul_Devkar · September 27, 2021, 10:14pm

Thanks for your response.

However, this one doesn't work for me. Any reason or anything I can do to fix this?

Badger · September 27, 2021, 10:48pm

I am puzzled why you would not have a _jsonparsefailure tag on the event, since the [message] field is not valid JSON. I suspect you are not running the configuration that you think you are.

system · October 25, 2021, 10:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure - Success in Grok Debugger - Log with Double quotes JSON Kibana	8	302	October 25, 2021
Grokparse failure even grok debugger fine Logstash	9	232	September 1, 2023
Grok failure grok debugger ok Logstash	3	596	July 26, 2019
Json parse failure even when the json is valid Logstash	7	450	July 25, 2018
How to apply parse failure tag only when message fails BOTH filters instead of just one? Logstash	2	1019	September 10, 2020

GrokPraseFailure - JSON log - Success on Grokdebugger

Related topics