Logstash - Is it Possible To Handle Dissect Failures Without Filling Up Syslog

scott_stash · August 24, 2020, 2:39am

Hello ELK Community,

I have a pipeline that processes a certain type of log file, depending on where the log file was generated the fields may be different, this causes my dissect to fail.

With the following code block I can catch the failure, run a GROK and parse it successfully(or run a second dissect):

 if ("_dissectfailure" in [tags]) {
        grok {
            match => {"message" => [ "..." ] }
            remove_field => [ "tags" ]
        }
    }

The problem is my syslog logs an error message for every dissect failure, this causes disk space issues and the people. Is there a way to better handle this scenario? I think setting tag_on_failure to false still causes the ERROR to log.

Badger · August 24, 2020, 3:25pm

What gets logged?

scott_stash · August 25, 2020, 1:07am

Aug 24 12:19:02 machinename.fqdn.com logstash[23808]: [2020-08-24T12:19:02,454][WARN ][org.logstash.dissect.Dissector] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"%{logTimestamp} %{logClass} %{} %{logLevel} %{logMessage}", "event"=>{}}

I removed the event data.

Badger · August 25, 2020, 1:23am

The dissector is quite aggresive about logging warnings, that is why it recommends doing a pattern check to be sure the dissect will work.

system · September 22, 2020, 1:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to determine when dissect fails and branch to try a different dissect clause? Logstash	5	5082	January 10, 2019
Using _dissectfailure for matching multiple lines with dissect Logstash	1	652	September 27, 2021
Suppress Dissector mapping failure logs Logstash	3	1210	May 29, 2020
Dissect failure for no obvious reason Logstash	4	1243	October 29, 2020
Eliminating _grokparsefailure Logstash	5	2560	July 6, 2017

Logstash - Is it Possible To Handle Dissect Failures Without Filling Up Syslog

Related topics