Logstash _grokparsefailure issues?

stefansaye · April 7, 2016, 9:03am

hi all ,
I'm having issues with grok parsing. In ElasticSearch/Kibana the lines I match come up with the tag _grokparsefailure.

Here is my logstash config :
input {
snmptrap {
yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp- 1.2.0/data/ruby/snmp/mibs"
codec => plain {
charset => "BINARY"
}
type => "snmptrap"
}
}

filter {
de_dot {}
if [type] == "snmptrap"
{
grok {
match => { "message" => "%{IP:@source_ip=\""}" }
add_field => { "source_ip" =>"%{@source_ip="}" }
}

}

output {
elasticsearch { hosts => localhost }
stdout {
codec => rubydebug
}
file {
codec => rubydebug
flush_interval => 1
path => "/tmp/logstash-snmptrap.log"
}
}

my input look like this below.

"message" => "#<SNMP::SNMPv1_Trap:0x1c6c6492 @enterprise=[1.3.6.1.3.92.1.1.7], @timestamp=#<SNMP::TimeTicks:0x680d5191 @value=802993822>, @varbind_list=[#<SNMP::VarBind:0x3deb19e5 @name=[1.3.6.1.3.92.1.1.5.1.3.202.169.174.90], @value=#<SNMP::Integer:0x42dcb23e @value=1>>], @specific_trap=2, @source_ip="10.10.10.12", @agent_addr=#<SNMP::IpAddress:0x405ff22d @value="\xC0\xA8\a\f">, @generic_trap=6>",
"host" => "10.10.10.12",
"@version" => "1",
"@timestamp" => "2016-04-07T08:31:03.697Z",
"type" => "snmptrap",
"MSDP-MIB::msdpPeerState_10_10_14_20" => "1"

Can somebody give me a hint how I can fix the problem?

magnusbaeck · April 8, 2016, 6:26am

match => { "message" => "%{IP:@source_ip=\""}" }

I think you're misunderstanding the grok syntax. You probably mean this:

@source_ip=\"%{IP:source_ip}\"

I suggest you look into the kv filter, especially if you want to parse more than the source IP field.

add_field => { "source_ip" =>"%{@source_ip="}" }

Remove this.