`Provided Grok expressions do not match field value` Apache Filebeat

Filebeat: 7.9.2

We are using a custom log format for Apache. The filebeat apache module (i.e. /usr/share/filebeat/module/apache/access/ingest/pipeline.yml) is updated with a single Grok expression that matches our custom log format. We are running this on kubernetes and all logs go to stdout.

Every request to our Apache servers is creating three ES entries:

1. A copy of the request from stdout
2. A correctly parsed version of the Apache request
3. An entry that says Provided Grok expressions do not match field value

The Apache logs are being parsed correctly but there is still an error saying Provided Grok expressions do not match field value. My best guess is that two (or three) Filebeat pipelines are being applied to every Apache log line. How would I track down this issue?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.