How to track failure or exception?

nobound · June 14, 2019, 4:45pm

Hi,

In the logstash configuration file, I use grok, ruby and aggregate multiple times within the filter section. When I check for _grokparsefailure, _aggregateexception, _rubyexception (whatever do I need to check?) at the end, how I can tell where the failure comes from?
I could check error after each filter plugin, but would like to know if there is a better way to do so.

Thanks

yaauie · June 14, 2019, 6:02pm

There are two ways:

configure the plugin to tag the event with something specific and descriptive when it fails
handle failures close to the bits that can cause failure

The below example does both:

filter {
  grok {
    id => "descriptive unique id"
    tag_on_timeout => "your timeout tag for this instance"
    tag_on_failure => ["your failure tag for this instance"]
    match => {
      # ...
    }
  }
  if [tags] include "your timeout tag for this instance" {
    # ... handle timeouts. these events consume a _lot_ of resources
  } else if [tags] include "your failure tag for this instance" {
    # handle failures to parse. 
  }
}

system · July 12, 2019, 6:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to know wich grok is failing? Logstash	3	229	December 7, 2023
Logstash Handling Filter Errors Logstash	3	2566	November 18, 2021
Ruby filter plugin: how to indicate failure Logstash	6	2556	February 19, 2019
What is the equivalent of grock parse failure for a ruby script Logstash	2	217	March 5, 2020
Elasticsearch filter plugin won't return failure tag Logstash	1	862	September 6, 2017

How to track failure or exception?

Related topics