Logstash - Is it Possible To Handle Dissect Failures Without Filling Up Syslog

scott_stash · August 24, 2020, 2:39am

Hello ELK Community,

I have a pipeline that processes a certain type of log file, depending on where the log file was generated the fields may be different, this causes my dissect to fail.

With the following code block I can catch the failure, run a GROK and parse it successfully(or run a second dissect):

 if ("_dissectfailure" in [tags]) {
        grok {
            match => {"message" => [ "..." ] }
            remove_field => [ "tags" ]
        }
    }

The problem is my syslog logs an error message for every dissect failure, this causes disk space issues and the people. Is there a way to better handle this scenario? I think setting tag_on_failure to false still causes the ERROR to log.

Badger · August 24, 2020, 3:25pm

What gets logged?

scott_stash · August 25, 2020, 1:07am

Aug 24 12:19:02 machinename.fqdn.com logstash[23808]: [2020-08-24T12:19:02,454][WARN ][org.logstash.dissect.Dissector] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"%{logTimestamp} %{logClass} %{} %{logLevel} %{logMessage}", "event"=>{}}

I removed the event data.

Badger · August 25, 2020, 1:23am

The dissector is quite aggresive about logging warnings, that is why it recommends doing a pattern check to be sure the dissect will work.

system · September 22, 2020, 1:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to determine when dissect fails and branch to try a different dissect clause? Logstash	5	4964	January 10, 2019
Dissectfailure when it shouldn't Logstash	4	348	September 19, 2022
Suppress Dissector mapping failure logs Logstash	3	1168	May 29, 2020
Using _dissectfailure for matching multiple lines with dissect Logstash	1	605	September 27, 2021
Logstash filtering drives me nuts Logstash	8	436	June 16, 2021

Logstash - Is it Possible To Handle Dissect Failures Without Filling Up Syslog

Related topics