Hi, Im reviewing the pipeline of an ex colleague, and there is almos 30 grok filters, wich will be the best way to identify wich grok is failing?
Im using stdout in the output.
Thanks!
Add tag_on_failure, on every grok.
tag_on_failure => "grok1"
Then grok2, ...
2 Likes
One more option is to add the error handling in output and keep track of messages in a separate index.
output {
if ("_grokparsefailure" in [tags] ) {
elasticsearch {
hosts => ["http://host:9200"]
index => "grokparsefailure_%{+YYYY.MM.DD}}"
}
}
}
However tag_on_failure is much faster way during debugging and you can add meaningful logic: tag_on_failure => "grok_ciscoasa", tag_on_failure => "grok_tomcat" so IF and search can be easier.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.