Is GROK parsing automatically assigning a _grokparsefailure to tags field if it does not match a pattern?

skydancer · July 15, 2019, 3:03pm

I imagine this may be a trivial question but since it is my early days with GROK patterns I want to makes sure. I created a custom GROK pattern for my environment and it works fine: my filter file looks for a presence of specific string in the tags field of the events that arrive to Logstash:

 filter {
   if [tags] {
     grok {
       patterns_dir => ["/etc/logstash/patterns"]
       match => {
          "tags" => "%{INDEX_TAG:es_prefix}"
        }
      }
  }

If there is no value matching the INDEX_TAG pattern in my event's tags filed, will that automatically append _grokparsefailure to the tags field?

skydancer · July 15, 2019, 3:12pm

I found an answer here: https://logz.io/blog/logstash-grok/ which seems to be in line with my thinking:

In case of a mismatch, Logstash will add a tag called _grokparsefailure.

Badger · July 15, 2019, 3:38pm

If you try to match against tags then it will iterate over the entire array and if there are multiple matches it will return an array of values. Patterns are not anchored by default, so

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_tag => [ "foo22", "23", "b24ar", "baz" ] }
    grok { match => { "tags" => "%{NUMBER:es_prefix}" } }
}

will return

 "es_prefix" => [
    [0] "22",
    [1] "23",
    [2] "24"
],

Topic		Replies	Views
Grokparsefailure tag - what does really it mean? Logstash	2	5346	January 8, 2019
Problem tag _grokparsefailure Logstash	1	941	March 8, 2018
Logstash grok _grokparsefailure tag Logstash	3	224	April 29, 2020
_grokparsefailure Tag in all parsed logs with multiple grok filter Logstash	6	1584	September 30, 2020
Grokparsefailure Logstash	8	193	July 4, 2024

Is GROK parsing automatically assigning a _grokparsefailure to tags field if it does not match a pattern?

Related topics