Logstash grok regex threw exception

Dee · March 8, 2018, 3:16pm

Hi,
I'm migrating grok patterns from logstash 2.3 to logstash 6.2, so far its going well, except for my syslog logs.
This is the grok pattern I have:

if [type] == "syslog" {
    grok {
    	break_on_match => false
        match => {"message" => "%{MONTH} %{MONTHDAY} %{TIME} %{WORD:action}: %{NOTSPACE:package}"}
        match => {"message" => "%{SYSLOGBASE}"}
        add_tag => ["grokked"]
    }
    date {
    	match => ["timestamp", "ISO8601", "MMM dd HH:mm:ss", "dd-MM-yyyy HH:mm:ss", "dd-MM-yyyy HH:mm:ss:SSS", "dd-MM-yyyy HH:mm:ss.SSS", "yyyy-MM-dd HH:mm:ss,SSS", "HH:mm:ss", "MMM  dd HH:mm:ss"]
      remove_field => ["timestamp"]
    }
  }

And I am getting this exception:

{"level":"WARN","loggerName":"logstash.filters.grok","timeMillis":1520521822400,"thread":"Ruby-0-Thread-17@[main]>worker2: /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:384","logEvent":{"message":"Grok regexp threw exception","exception":"incompatible encoding regexp match (UTF-8 regexp with ASCII-8BIT string)","backtrace":["org/jruby/RubyRegexp.java:1107:in match'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/jls-grok-0.11.4/lib/grok-pure.rb:182:in execute'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.2/lib/logstash/filters/grok/timeout_enforcer.rb:20:in grok_till_timeout'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.2/lib/logstash/filters/grok.rb:342:in block in match_against_groks'","org/jruby/RubyArray.java:1734:in each'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.2/lib/logstash/filters/grok.rb:339:in match_against_groks'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.2/lib/logstash/filters/grok.rb:328:in match'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.2/lib/logstash/filters/grok.rb:296:in block in filter'","org/jruby/RubyHash.java:1343:in each'","/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-grok-4.0.2/lib/logstash/filters/grok.rb:295:in filter'","/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:145:in do_filter'","/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:164:in block in multi_filter'","org/jruby/RubyArray.java:1734:in each'","/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:161:in multi_filter'","/usr/share/logstash/logstash-core/lib/logstash/filter_delegator.rb:47:in multi_filter'","(eval):214:in block in initialize'","org/jruby/RubyArray.java:1734:in each'","(eval):210:in block in initialize'","(eval):166:in block in filter_func'","/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:447:in filter_batch'","/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:426:in worker_loop'","/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:385:in block in start_workers'"],"class":"Encoding::CompatibilityError"}}

Any idea why this is happening?
Thanks!

system · April 5, 2018, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Seeing Grok regexp exception "incompatible encoding regexp match (UTF-8 regexp with ASCII-8BIT string)" Logstash	11	2166	May 15, 2018
Logstash grokparsefailure - message pattern problem Logstash	3	943	February 16, 2017
Failed to parse [timestamp] invalid formate Logstash	2	1189	July 6, 2017
How to debug "Grok regexp threw exception" Logstash	3	1862	July 6, 2017
Syslog with millisecond pattern not matching Logstash	14	5944	June 2, 2018

Logstash grok regex threw exception

Related topics