Help with "_grokparsefailure" and "_geoip_lookup_failure"

roman-tasi · July 2, 2022, 3:35am

I am getting those error tags. Here is my filter section from my logstash section (Note that I started to get the _grokparsefailure after adding the second grok with the src match, it was working fine with just the top grok):

filter {
  if [type]=="syslog" {
        grok {
                match => {
                "message" => "^<%{NUMBER:[syslog][priority]}>%{SPACE}++%{GREEDYDATA:[syslog][message]}$"
                }
                add_field => [ "received_at", "%{@timestamp}" ]
                add_field => [ "received_from", "%{host}" ]
                remove_field => "message"
        }
        grok {
                match => {
                "src" => "%{IP:[src][ip]}:%{NUMBER:[src][port]}:%{GREEDYDATA:[src][extradata]}$"
                }
        }
        kv {
                source => "[syslog][message]"
                remove_field => "[syslog][message]"
        }
        date {
                match => [ "[time]", "yyyy-MM-dd HH:mm:ss" ]
                target => "@timestamp"
        }
        geoip {
                source => "[src][ip]"
        }
  }
  if ![ecs] {
                mutate {
                        rename => ["host", "[host][name]" ]
                        update => { "[ecs][version]" => "1.5.0" }
                        add_tag => [ "ecs_converted" ]
                }
  }
}

Also I want to note I am getting _grokparsefailure and _geoip_lookup_failure even with this src (just using this as an example): 141.239.213.245:60288:X1

Thanks!!

sudhagar_ramesh · July 2, 2022, 6:12am

Hello @roman-tasi

I have tried with your grok failed block and i have changed it which is working for me. Could you this below block of code (just replaced src with message inside match block)

grok {
match => {
"message" => "%{IP:[src][ip]}:%{NUMBER:[src][port]}:%{GREEDYDATA:[src][extradata]}$"
}

Keep Posted!!! Thanks!!!

roman-tasi · July 2, 2022, 8:03am

Did not work for me. Same _grokparsefailure and _geoip_lookup_failure errors.

sudhagar_ramesh · July 2, 2022, 11:07am

Could you share some log lines to reproduce the issue

roman-tasi · July 3, 2022, 1:34am

My syslog logs are coming in with these tags:
_grokparsefailure, _geoip_lookup_failure, ecs_converted

sudhagar_ramesh · July 4, 2022, 3:22am

yes, because the logs are not matched maybe which is the reason i have asked to share few lines.

Does your grok pattern works fine in Grok Debugger (grokdebug.herokuapp.com)

system · August 1, 2022, 3:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.