Is GROK parsing automatically assigning a _grokparsefailure to tags field if it does not match a pattern?

skydancer · July 15, 2019, 3:03pm

I imagine this may be a trivial question but since it is my early days with GROK patterns I want to makes sure. I created a custom GROK pattern for my environment and it works fine: my filter file looks for a presence of specific string in the tags field of the events that arrive to Logstash:

 filter {
   if [tags] {
     grok {
       patterns_dir => ["/etc/logstash/patterns"]
       match => {
          "tags" => "%{INDEX_TAG:es_prefix}"
        }
      }
  }

If there is no value matching the INDEX_TAG pattern in my event's tags filed, will that automatically append _grokparsefailure to the tags field?

skydancer · July 15, 2019, 3:12pm

I found an answer here: https://logz.io/blog/logstash-grok/ which seems to be in line with my thinking:

In case of a mismatch, Logstash will add a tag called _grokparsefailure.

Badger · July 15, 2019, 3:38pm

If you try to match against tags then it will iterate over the entire array and if there are multiple matches it will return an array of values. Patterns are not anchored by default, so

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_tag => [ "foo22", "23", "b24ar", "baz" ] }
    grok { match => { "tags" => "%{NUMBER:es_prefix}" } }
}

will return

 "es_prefix" => [
    [0] "22",
    [1] "23",
    [2] "24"
],

system · August 12, 2019, 3:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.