Questions about Grok and add_tag

Anyone can help with my two questions regarding grok and add_tag?

1. Can grok be used more than once in the filter part?

after my first grok, which worked perfectly, I added a second grok to extract some more information from the same event messages. As a test, I simply asked my second grok to add a tag, say "grokked2". I am expecting the new tag to show on all events, but the new tag showed as "_grokparsefailure".

2. I also was confused why add_tag won't work with the below config file:
   input{ stdin{} }
   filter{ grok{add_tag => ["grokked"]} }
   output{ codec=>rubydebug }

Also resulted in a "_grokparsefailure" tag.

Thanks a lot!

1. Can grok be used more than once in the filter part?

Yes.

2. I also was confused why add_tag won't work with the below config file:

The add_tag option normally fires only when the filter is successful, and a grok filter can't succeed if it doesn't have anything to match. If you want to unconditionally add a tag use the mutate filter.