`Provided Grok expressions do not match field value` Apache Filebeat

willis · November 2, 2020, 1:42pm

Filebeat: 7.9.2

We are using a custom log format for Apache. The filebeat apache module (i.e. /usr/share/filebeat/module/apache/access/ingest/pipeline.yml) is updated with a single Grok expression that matches our custom log format. We are running this on kubernetes and all logs go to stdout.

Every request to our Apache servers is creating three ES entries:

A copy of the request from stdout
A correctly parsed version of the Apache request
An entry that says Provided Grok expressions do not match field value

The Apache logs are being parsed correctly but there is still an error saying Provided Grok expressions do not match field value. My best guess is that two (or three) Filebeat pipelines are being applied to every Apache log line. How would I track down this issue?

system · November 30, 2020, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Provided Grok expressions do not match field value Elasticsearch	1	278	February 24, 2023
Provided Grok expressions do not match field value: Beats filebeat	1	402	February 4, 2021
Filebeat Apache Module Ingest Pipeline Beats filebeat	1	586	October 18, 2019
Filebeat "Provided Grok expressions do not match field value" Beats filebeat	1	1098	January 7, 2021
Filebeat apache module unable to parse certain logs Beats beats-module , filebeat	7	642	July 3, 2019

`Provided Grok expressions do not match field value` Apache Filebeat

Related Topics