Hi,
In the logstash configuration file, I use grok, ruby and aggregate multiple times within the filter section. When I check for _grokparsefailure, _aggregateexception, _rubyexception (whatever do I need to check?) at the end, how I can tell where the failure comes from?
I could check error after each filter plugin, but would like to know if there is a better way to do so.
Thanks
There are two ways:
The below example does both:
filter {
grok {
id => "descriptive unique id"
tag_on_timeout => "your timeout tag for this instance"
tag_on_failure => ["your failure tag for this instance"]
match => {
# ...
}
}
if [tags] include "your timeout tag for this instance" {
# ... handle timeouts. these events consume a _lot_ of resources
} else if [tags] include "your failure tag for this instance" {
# handle failures to parse.
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.