Logstash grokparsefailure when multiple IF ELSE in use

Elastic Stack Logstash
1

Hello experts,
Please help me to figure out where the problem is and what can I try more.

filter
{
if "...." in [......]
{ ... }

if "test" in [tags] <--- true in my case
{

if "syl1dsaws" in [message]
{
grok {
match => { "message" => "syl1dsaws %{NUMBER:syl1dsaws_result:int} %{NUMBER:syl1dsaws_errors:int}"}
}
}

else if "syl1us" in [message]
{
grok {
match => { "message" => "syl1us %{NUMBER:syl1us_result:int} %{NUMBER:syl1us_errors:int}"}
}
}

else if "syl1usaws" in [message]
{

grok {
match => { "message" => "syl1usaws %{NUMBER:syl1usaws_result:int} %{NUMBER:syl1usaws_errors:int}"}
}
}

else if "syl1ds" in [message]
{
grok {
match => { "message" => "syl1ds %{NUMBER:syl1ds_result:int} %{NUMBER:syl1ds_errors:int}"}
}
}

mutate {
convert => { "syl1ds_result" => "integer" }
convert => { "syl1dsaws_result" => "integer" }
convert => { "syl1ds_errors" => "integer" }
convert => { "syl1dsaws_errors" => "integer" }
convert => { "syl1us_result" => "integer" }
convert => { "syl1usaws_result" => "integer" }
convert => { "syl1us_errors" => "integer" }
convert => { "syl1usaws_errors" => "integer" }
}
}
}

Now,
Message 1: "syl1ds 185 44" this grok works fine.
Message 2: "syl1us 185 44" this grok works fine.
Message 3: "syl1dsaws 185 44" this grok FAILS.
Message 4: "syl1usaws 185 44" this grok FAILS.

2

Your grok patterns are very simple and they appear to be correct for using your four examples you posted. I'd try using the stdout output if you see _grokparsefailure in tags during output filtering. Its possible your NUMBER fields don't parse as a number (some non-number character is there) or may maybe there is data before or after? Using the stdout output, you'd then see what the message data really was. Also...you don't need to be using the mutate convert in your logstash config either. In your grok pattern, you'r using the optional data type conversion :int. No need to do it again.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.