Problem tag _grokparsefailure

samsam · February 8, 2018, 1:09pm

Hello everyone,
I have logstash's problème on TAG.
I have this filter in conf : `filter {

if "kibana" in [message] { drop { } }
grok {
match => ["message", "%{SYSLOGTIMESTAMP:log_timestamp} %{GREEDYDATA:message}"]
overwrite => [ "message" ]
add_tag => [ "grokked" ]
}
date {
match => [ "log_timestamp", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "log_timestamp"
}
mutate {
rename => { "log_timestamp" => "timelog" }
rename => { " log_timestamp_ISO8601" => "timelog" }
}

if "_grokparsefailure" in [tags] {
mutate {
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "grokked2" ]
}
}
}
`

The problem is that the logs pass the grok well since they have the tag "grokked", but he have "_grokparsefailure " tag too.

How can I proceed please? Thank you !

system · March 8, 2018, 1:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting _grokparsefailure as a tag Logstash	6	492	May 23, 2018
_dateparsefailure when trying to overwrite @timestamp Logstash	8	146	June 7, 2024
Date FIlter - _dateparsefailure [SOLVED] Logstash	21	21575	November 4, 2022
There is no dateparsefailure in the tag,but it does not work Logstash	10	555	June 6, 2018
Grok filter not working after add tags Logstash	3	872	September 20, 2017

Problem tag _grokparsefailure

Related Topics