Is GROK parsing automatically assigning a _grokparsefailure to tags field if it does not match a pattern?

skydancer · July 15, 2019, 3:03pm

I imagine this may be a trivial question but since it is my early days with GROK patterns I want to makes sure. I created a custom GROK pattern for my environment and it works fine: my filter file looks for a presence of specific string in the tags field of the events that arrive to Logstash:

 filter {
   if [tags] {
     grok {
       patterns_dir => ["/etc/logstash/patterns"]
       match => {
          "tags" => "%{INDEX_TAG:es_prefix}"
        }
      }
  }

If there is no value matching the INDEX_TAG pattern in my event's tags filed, will that automatically append _grokparsefailure to the tags field?

skydancer · July 15, 2019, 3:12pm

I found an answer here: https://logz.io/blog/logstash-grok/ which seems to be in line with my thinking:

In case of a mismatch, Logstash will add a tag called _grokparsefailure.

Badger · July 15, 2019, 3:38pm

If you try to match against tags then it will iterate over the entire array and if there are multiple matches it will return an array of values. Patterns are not anchored by default, so

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_tag => [ "foo22", "23", "b24ar", "baz" ] }
    grok { match => { "tags" => "%{NUMBER:es_prefix}" } }
}

will return

 "es_prefix" => [
    [0] "22",
    [1] "23",
    [2] "24"
],

system · August 12, 2019, 3:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Add a tag if a field exists Logstash	4	11743	September 21, 2017
Tag with pattern used Logstash	3	563	May 9, 2017
Adding tags Logstash	3	325	May 2, 2018
Need more information on logstash Logstash	4	350	July 6, 2017
Can we add field in _grokparsefailure if block? Logstash	3	570	October 9, 2017

Is GROK parsing automatically assigning a _grokparsefailure to tags field if it does not match a pattern?

Related Topics