Logstash Handling Filter Errors

maltewhiite · October 21, 2021, 11:21am

I want to handle errors in my Logstash Filter.

How do I do that? And more importantly, where is the documentation?

I can see there is Documentation here for Elastic Pipeline Error Handling:

Is there something similar for Logstash?

If I have a very specific Grok filter and if statements and mutates etc etc, and the Logs change, how will I know? Will the Logstash filter just crash? Will it ignore the errors? Will it stop sending those logs to Elastic?

If I could Tag each log that "misses" our Grok filters, with a tag like "error", then in Kibana I could find the logs that have changed, and now miss my Logstash Filters, just like we add_tag => ["grokked"].

I basically want to read Documentation about handling Errors in Logstash, but I can't seem to find it via Google. I only find the Elastic pipeline error handling documentation.

Edit: I found this post from 2016, talking about Exception handling. Where can I find the Documentation for it? How does he know which tag will be put on after a failed parsing? He says:

aaron-nimocks · October 21, 2021, 11:29am

Errors are saved in an array named tags. For example Grok will add _grokparsefailure to that tag when something happens. Then you can do your error handling from that.

if "_grokparsefailure" in [tags] {
# do something
}

_grokparsefailure documentation
_mutate_error

The tag_on_failure option is what you are looking for and you can set it to what you want or use the defaults.

maltewhiite · October 21, 2021, 11:31am

Thanks a lot Aaron. Lightning fast response. Hope you have a nice day!

system · November 18, 2021, 11:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.