Why _grokparsefailer doesn't give specific error

jason_smith · March 18, 2018, 9:21pm

Hello Good folks,

when we have grokparseerror, how can I understand where the error is generated while parsing?
I just tried to grab the first two fields from the file using the following grok filter. It threw error without actually giving details.

   	grok{
		match=>["message",'\[%{HTTPDATE:timestamp}\] %{WORD:efw}']
}

The file I am reading.

[2017-03-03 16:06:02] EFW: TCP_FLAG: prio=2 id=03300004 rev=1 event=tcp_flag_set action=strip_flag bad_flag=ECN rule=TCPECN recvif=interface srcip=10.1.1.1 destip=10.3.0.1 ipdf=1 ipproto=TCP ipdatalen=32 srcport=13111 destport=80 tcphdrlen=32 syn=1 ece=1 cwr=1

Logstash error:
2018-03-18_14-22-41

magnusbaeck · March 18, 2018, 9:30pm

Regular expression matchers typically don't provide details about what part of the expression matched and what part didn't.

The key is to build your expressions gradually. Start with the very simplest you can. When that works, move on by adding more to the end of your expression. Continue until you're done or until it stops matching.

In this particular case the problem is that you're using HTTPDATE. Its definition looks like this:

github.com

logstash-plugins/logstash-patterns-core/blob/v4.1.2/patterns/grok-patterns#L86


DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}


# Syslog Dates: Month Day HH:MM:SS
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
PROG [\x21-\x5a\x5c\x5e-\x7e]+
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
SYSLOGHOST %{IPORHOST}
SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}>
HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}


# Shortcuts
QS %{QUOTEDSTRING}


# Log formats
SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:


# Log Levels
LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)

Clearly, this doesn't match the timestamp you have. Try TIMESTAMP_ISO8601 instead.

Have you tried using the grok constructor web site?

jason_smith · March 18, 2018, 9:33pm

That worked Magnusbaeck. Thank You

jason_smith · March 18, 2018, 9:47pm

Can you suggest me any site/links that have samples with grok filters? I googled. I found some blogs but not good samples in them.

thank you

magnusbaeck · March 19, 2018, 7:15am

Grok is just a convenience layer on top of regular expressions, and regular expressions are explained in many places. If you understand regular expressions then you'll understand grok in no time.

jason_smith · March 19, 2018, 4:07pm

Thank You

system · April 16, 2018, 4:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.