How to track failure or exception?

nobound · June 14, 2019, 4:45pm

Hi,

In the logstash configuration file, I use grok, ruby and aggregate multiple times within the filter section. When I check for _grokparsefailure, _aggregateexception, _rubyexception (whatever do I need to check?) at the end, how I can tell where the failure comes from?
I could check error after each filter plugin, but would like to know if there is a better way to do so.

Thanks

yaauie · June 14, 2019, 6:02pm

There are two ways:

configure the plugin to tag the event with something specific and descriptive when it fails
handle failures close to the bits that can cause failure

The below example does both:

filter {
  grok {
    id => "descriptive unique id"
    tag_on_timeout => "your timeout tag for this instance"
    tag_on_failure => ["your failure tag for this instance"]
    match => {
      # ...
    }
  }
  if [tags] include "your timeout tag for this instance" {
    # ... handle timeouts. these events consume a _lot_ of resources
  } else if [tags] include "your failure tag for this instance" {
    # handle failures to parse. 
  }
}

system · July 12, 2019, 6:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to know wich grok is failing? Logstash	3	229	December 7, 2023
Logstash Handling Filter Errors Logstash	3	2534	November 18, 2021
Ruby filter plugin: how to indicate failure Logstash	6	2547	February 19, 2019
[Feature request] Tag_on_failure for Logstash xml filter plugin Logstash	5	558	May 4, 2020
Can I use pattern in Logstash output plugin Logstash	13	277	February 7, 2023

How to track failure or exception?

Related Topics