How come my ElasticSearch ingest pipelines with multiple grok patterns are all failing?

ujjain · February 13, 2018, 7:52pm

I'm working on getting the Tomcat logs of some applications correctly processed in ElasticSearch, but unfortunately my ingest pipelines with multiple grok processors aren't working and they all end up in the failed-index.

catalina.out

13-Feb-2018 16:04:48.446 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -XX:MaxGCPauseMillis=200

catalina.log

13-Feb-2018 16:00:35.385 SEVERE [monkey.co.uk-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Error deploying web application archive [/opt/tomcat/apache-tomcat-8.5.16/webapps/email.war]
 java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[monkey.co.uk].StandardContext[/email]]
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:756)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:988)
        at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1860)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

This is my ingest pipeline:

PUT _ingest/pipeline/tomcat_all

{  
   "description":"Pipeline tomcat_all",
   "on_failure":[  
      {  
         "set":{  
            "field":"_index",
            "value":"failed-{{ _index }}"
         }
      }
   ],
   "processors":[  
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}(?:AM|PM)%{SPACE}%{NOTSPACE:class}%{SPACE}%{NOTSPACE:type_log}%{SPACE}%{WORD:loglevel}:%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{TIME:timestamp}%{SPACE}\\|-%{WORD:loglevel}%{SPACE}in%{SPACE}%{NOTSPACE:class}%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR} %{TIME}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}(?:AM|PM)%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}%{ISO8601_TIMEZONE}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      },
      {  
         "grok":{  
            "field":"message",
            "patterns":[  
               "%{MONTHDAY}.%{MONTHNUM}.%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}"
            ]
         }
      }
   ]
}

Grok patterns:

%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}(?:AM|PM)%{SPACE}%{NOTSPACE:class}%{SPACE}%{NOTSPACE:type_log}%{SPACE}%{WORD:loglevel}:%{SPACE}%{GREEDYDATA:log_text}
%{TIME:timestamp}%{SPACE}\\|-%{WORD:loglevel}%{SPACE}in%{SPACE}%{NOTSPACE:class}%{SPACE}%{GREEDYDATA:log_text}
"%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}
%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR} %{TIME}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}
%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}(?:AM|PM)%{SPACE}%{GREEDYDATA:log_text}
%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}
%{YEAR}-%{MONTHNUM}-%{MONTHDAY}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}%{ISO8601_TIMEZONE}%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}
%{MONTHDAY}.%{MONTHNUM}.%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}%{WORD:loglevel}%{SPACE}%{GREEDYDATA:log_text}

I have tried the grok patterns manually at http://grokdebug.herokuapp.com and that worked fine.

system · March 13, 2018, 7:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern failing in ingest pipeline, but working in grok debugger Elasticsearch	1	490	March 13, 2018
Changed grok pattern for ingest pipeline and now grok pattern matching is timing out after 1000ms Elasticsearch	4	2090	December 12, 2019
Ingest pipeline grok processor on_failure Elasticsearch ingest-pipeline	2	819	January 4, 2021
Grok pattern fails in pipeline, but works in grok builder? Elasticsearch	1	513	July 18, 2019
Ingest error from one pipeline causing errors in other pipelines Elasticsearch ingest-pipeline	1	272	August 9, 2023

How come my ElasticSearch ingest pipelines with multiple grok patterns are all failing?

Related topics