Some logs (Erlang VM) can't be parsed by the provided grok expression, example log entries:
2019-07-29 14:14:43.032 [error] emulator Discarding message {'$gen_call',{<0.442.0>,#Ref<0.3746561768.1184890881.104501>},stat} from <0.442.0> to <0.32134.65> in an old incarnation (1) of this node (2)
2019-07-29 14:14:43.035 [error] emulator Discarding message {'$gen_call',{<0.435.0>,#Ref<0.3746561768.1184890881.104506>},stat} from <0.435.0> to <0.3956.17> in an old incarnation (1) of this node (2)
2019-07-29 14:14:43.311 [error] emulator Discarding message {'$gen_call',{<0.431.0>,#Ref<0.3746561768.1184890881.104511>},stat} from <0.431.0> to <0.32141.65> in an old incarnation (1) of this node (2)
- Version: filebeat 7.1.2
- Operating System: official docker image
- Steps to Reproduce: enable RabbitMQ module, restart RabbitMQ server. Tested with RabbitMQ server 3.8.1
Log examples:
- https://groups.google.com/g/rabbitmq-users/c/OQr3IB_ddEM
- Force Event Refresh causes lots of discarded messages · Issue #92 · rabbitmq/rabbitmq-management-agent · GitHub
- https://groups.google.com/g/rabbitmq-users/c/QNTkoKrg2H0
Suggested fix:
grok pattern should be adjusted, ERL_PID field could be optional
"%{DATESTAMP:timestamp} \\[%{WORD:log.level}\\]( %{ERL_PID:rabbitmq.log.pid})?
%{GREEDYMULTILINE:message}"