Tags:_grokparsefailure

Bashir_Mihyar · September 7, 2020, 10:07am

Hello,
I am new to this stack, and i am looking for an answer for the below:
When i am in kibana discover tab, i see records with tags: _grokparsefailure, while i expect to see host: logs.myserver.me
Details:

my nginx log format is: log_format logstash '$host';
my logstash filter is:

filter {
  if [program] == "nginx_access" {
    grok {
      patterns_dir => "/etc/logstash/patterns"
      #match => { "message" => "%{NGINX_ACCESS}" }
      #match => { "message" => "%{DATA:host} %{IPORHOST:remote_ip} %{DATA:remote_user} %{URIPATHPARAM:request} %{INT:status} %{NUMBER:$body_bytes_sent} %{DATA:http_referer} %{DATA:http_user_agent}"}
      match => { "message" => "%{HOSTNAME:host}"}
      remove_tag => ["nginx_access", "_grokparsefailure"]
      add_field => {
        "type" => "nginx_access"
      }
      remove_field => "message"
    }

    date {
      match => ["time_local", "dd/MMM/YYYY:HH:mm:ss Z"]
      target => "@timestamp"
      remove_field => "time_local"
    }

    useragent {
      source => "user_agent"
      target => "useragent"
      remove_field => "user_agent"
    }
  }

}

Can any tell me what i am doing wrong ?

system · October 5, 2020, 10:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_grokparsefailure and I have no idea Logstash	2	247	November 11, 2020
Eliminating _grokparsefailure Logstash	5	2524	July 6, 2017
_grokparsefailure tag not removed Logstash	2	5139	June 26, 2017
Problem tag _grokparsefailure Logstash	1	918	March 8, 2018
Nginx access log using grok filter Logstash	2	2971	March 21, 2023

Tags:_grokparsefailure

Related topics