Problem tag _grokparsefailure

samsam · February 8, 2018, 1:09pm

Hello everyone,
I have logstash's problème on TAG.
I have this filter in conf : `filter {

if "kibana" in [message] { drop { } }
grok {
match => ["message", "%{SYSLOGTIMESTAMP:log_timestamp} %{GREEDYDATA:message}"]
overwrite => [ "message" ]
add_tag => [ "grokked" ]
}
date {
match => [ "log_timestamp", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "log_timestamp"
}
mutate {
rename => { "log_timestamp" => "timelog" }
rename => { " log_timestamp_ISO8601" => "timelog" }
}

if "_grokparsefailure" in [tags] {
mutate {
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "grokked2" ]
}
}
}
`

The problem is that the logs pass the grok well since they have the tag "grokked", but he have "_grokparsefailure " tag too.

How can I proceed please? Thank you !

system · March 8, 2018, 1:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Eliminating _grokparsefailure Logstash	5	2524	July 6, 2017
Getting _dateparsefailure tag Logstash	5	463	May 27, 2020
_grokparsefailure problem Logstash	3	355	September 4, 2019
Logstash Grok Filter Issue Logstash	2	656	April 14, 2017
_grokparsefailure in tags. Not able to change the format of the log Logstash	2	955	November 17, 2017

Problem tag _grokparsefailure

Related topics