How Can I parse why I got the error tag : _grokparsefailure

jianfeng_ye · September 19, 2015, 12:03am

I know that my be my grok error, but when I try my grok in this website:

http://grokconstructor.appspot.com/do/match#result

it return ok.

my grok pattern is:

%{WORD:http_host} %{URIHOST:api_domain} %{IP:inner_ip} %{IP:lvs_ip} \[%{HTTPDATE:timestamp}\] \"%{WORD:http_verb} %{URIPATH:baseurl}(?:\?%{NOTSPACE:request}|) HTTP/%{NUMBER:http_version}\" (?:-|%{NOTSPACE:request}) %{NUMBER:http_status_code} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{NUMBER:time_duration:float} %{NUMBER:time_backend_response:float}

my error data is:

120_55_72_142 api.test.com 10.174.106.171 100.97.180.80 [18/Sep/2015:20:14:55 +0800] "GET /api1.4/message/getunreadcount/?channel=aisi&source=ios&token=6b69d5869c41fa7176835a81f2cc0927&uid=892473 HTTP/1.0" - 499 0 "-" "autoguru/com.baichebao.carmaste (2; OS Version 9.0 (Build 13A344))" 0.062 -

I really want to know where my pattern error and Is there any setting that can show more detail error for debug that?

Help~ Thanks

magnusbaeck · September 19, 2015, 8:26pm

For starters, the input string ends with "0.062 -" and you're trying to use two NUMBER patterns to match it. I suggest you follow the example of the bytes_read field and use (?:%{NUMBER:time_backend_response:float}|-) instead.

Allen704 · May 2, 2016, 1:49pm

Is there an answer to the actual question though? Is there a way to get more detail on where the error is occuring?

magnusbaeck · May 3, 2016, 11:07am

Is there an answer to the actual question though? Is there a way to get more detail on where the error is occuring?

I think the best you can do is truncating your grok expression to the bare minimum and then keep extending it until things stop working.