Logstash - grokfilter is successful using grokdebug, but fails in live

One_Punch · August 9, 2021, 3:56pm

Hello, im integratin filebeats and logstash, sample grok pattern works in grokdebug but throwing grokfailure in logstash

Message:

[2m2021-08-09 15:50:07.850 [0;39m [32m INFO [0;39m [35m1 [0;39m [2m--- [0;39m [2m[nio-8085-exec-1] [0;39m [36mo.s.web.servlet.DispatcherServlet [0;39m [2m: [0;39m Completed initialization in 2 ms

Pattern:

%{TIMESTAMP_ISO8601:timestamp} (?:[^:]+)m (?:[^:]+)m %{LOGLEVEL:logLevel} (?:[^:]+)m (?:[^:]+)m%{BASE10NUM:pid} (?:[^:]+)m (?:[^:]+)- (?:[^:]+)m (?:[^:]+)] (?:[^:]+)m (?:[^:]+)m%{DATA:class} (?:[^:]+)m (?:[^:]+): (?:[^:]+)m %{GREEDYDATA:message}

Conf

logstash.conf: |
input {
beats {
port => 5044
ssl => false
}
stdin {
codec => plain { charset=>"UTF-8" }
}
}
filter {
if [message] =~ "\tat" {
grok {
match => ["message", "^(\tat)"]
add_tag => ["stacktrace"]
}
}
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} (?:[^:]+)m (?:[^:]+)m %{LOGLEVEL:logLevel} (?:[^:]+)m (?:[^:]+)m%{BASE10NUM:pid} (?:[^:]+)m (?:[^:]+)- (?:[^:]+)m (?:[^:]+)] (?:[^:]+)m (?:[^:]+)m%{DATA:class} (?:[^:]+)m (?:[^:]+): (?:[^:]+)m %{GREEDYDATA:message}" }
}
date {
match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
}
mutate {
gsub => ["message", "\u001b", " " ]
}
}
output {
elasticsearch {
hosts => "http://elasticsearch-master:9200"
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}

Badger · August 9, 2021, 5:09pm

When I run

input { generator { count => 1 lines => [ '[2m2021-08-09 15:50:07.850 [0;39m [32m INFO [0;39m [35m1 [0;39m [2m--- [0;39m [2m[nio-8085-exec-1] [0;39m [36mo.s.web.servlet.DispatcherServlet [0;39m [2m: [0;39m Completed initialization in 2 ms' ] } }
filter {
    grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} (?:[^:]+)m (?:[^:]+)m %{LOGLEVEL:logLevel} (?:[^:]+)m (?:[^:]+)m%{BASE10NUM:pid} (?:[^:]+)m (?:[^:]+)- (?:[^:]+)m (?:[^:]+)] (?:[^:]+)m (?:[^:]+)m%{DATA:class} (?:[^:]+)m (?:[^:]+): (?:[^:]+)m %{GREEDYDATA:message}" } }
}

I get

   "message" => [
    [0] "[2m2021-08-09 15:50:07.850 [0;39m [32m INFO [0;39m [35m1 [0;39m [2m--- [0;39m [2m[nio-8085-exec-1] [0;39m [36mo.s.web.servlet.DispatcherServlet [0;39m [2m: [0;39m Completed initialization in 2 ms",
    [1] "Completed initialization in 2 ms"
],
     "class" => "o.s.web.servlet.DispatcherServlet",
 "timestamp" => "2021-08-09 15:50:07.850"

so I do not think you are doing what you think you are doing.

One_Punch · August 9, 2021, 5:39pm

Hello @Badger

Im having also trouble in the logs itself. kubernetes logs

2021-08-09 16:29:15.525 INFO 1 --- [nio-8085-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 2 ms

Logstash logs:

[2m2021-08-09 15:50:07.850 [0;39m [32m INFO [0;39m [35m1 [0;39m [2m--- [0;39m [2m[nio-8085-exec-1] [0;39m [36mo.s.web.servlet.DispatcherServlet [0;39m [2m: [0;39m Completed initialization in 2 ms

Is it possible to remove the [2m [32m [0;39m characters?

One_Punch · August 9, 2021, 5:40pm

I want to extract

timestamp
loglevel
class
message

Badger · August 9, 2021, 5:49pm

You could try

mutate { gsub => [ "message", "\[[0-9;]+m\s?", "" ] }

One_Punch · August 9, 2021, 6:00pm

This is the sample message when i've added that and remove my filter

2021-08-09 17:57:13.237INFO1---[nio-8085-exec-1]o.s.web.servlet.DispatcherServlet :Completed initialization in 2 ms

One_Punch · August 9, 2021, 6:10pm

This is the latest message

2021-08-09 18:02:05.950 INFO 1 --- [nio-8085-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 2 ms

One_Punch · August 9, 2021, 6:35pm

      "tags" => [
    [0] "beats_input_codec_plain_applied",
    [1] "_grokparsefailure"
],
   "message" => " 2021-08-09 18:29:58.900  INFO  1  ---  [nio-8085-exec-1]  o.s.web.servlet.DispatcherServlet         : Initializing Servlet 'dispatcherServlet'",
      "host" => {
    "name" => "filebeat-filebeat-8jbts"
}

But in gork its succesfull

Badger · August 9, 2021, 6:41pm

I would use dissect instead of grok

mutate { gsub => [ "message", "\s+", " " ] }
dissect { mapping => { "message" => " %{timestamp} %{+timestamp} %{loglevel} %{pid} --- [%{}] %{class} : %{[@metadata][message]}" }
mutate { replace { "message" => "%{[@metadata][message]}" } }

One_Punch · August 9, 2021, 6:54pm

[2021-08-09T18:54:22,477][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "=>" at line 15, column 14 (byte 303) after filter { \n dissect { \n mapping => { "message" => " %{timestamp} %{+timestamp} %{loglevel} %{pid} --- [%{}] %{class} : %{[@metadata][message]}" } \n }\n mutate { \n replace ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:365:in block in converge_state'"]}

input {
beats {
port => 5044
ssl => false
}
stdin {
codec => plain { charset=>"UTF-8" }
}
}
filter {
dissect {
mapping => { "message" => " %{timestamp} %{+timestamp} %{loglevel} %{pid} --- [%{}] %{class} : %{[@metadata][message]}" }
}
mutate {
replace { "message" => "%{[@metadata][message]}" }
}
mutate {
gsub => ["message", "\u001b", " ", "message", "[[0-9;]+m\s?", "", "message", "\s+", " " ]
}
}
output {
elasticsearch {
hosts => "http://elasticsearch-master:9200"
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}

One_Punch · August 9, 2021, 7:00pm

Ive added => in the replace.

      "tags" => [
    [0] "beats_input_codec_plain_applied",
    [1] "_dissectfailure"
],
"kubernetes" => {

Badger · August 9, 2021, 7:07pm

Change that to

if "_dissectfailure" not in [tags] { mutate { replace => { "message" => "%{[@metadata][message]}" } } }

then show us what the [message] field that got the failure. Copy from the JSON tab on an expanded event in the Kibana Discover pane.

One_Punch · August 9, 2021, 7:47pm

it's already working now but may i know how can i handle this also?

One_Punch · August 9, 2021, 7:50pm

system · September 6, 2021, 7:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok pattern not being applied in logstash but working on grok debugger Logstash	3	599	September 29, 2017
Grok filter succeeds in unit test, in grok debugger, but fails in production Logstash	3	1425	July 6, 2017
Grok filter is not working Logstash	4	12308	July 6, 2017
Grok Parse Failure - CSV input via Filebeat Logstash	3	1020	November 22, 2018
Grokparse failure even grok debugger fine Logstash	9	228	September 1, 2023

Logstash - grokfilter is successful using grokdebug, but fails in live

Related Topics