Why _grokparsefailure?

trelo · December 10, 2018, 7:58am

Hi, here is my config:

input {
  stdin {}
  file {
    codec => multiline {
      pattern => "^{%{DATESTAMP_EVENTLOG}"
      what => "previous"
      negate => true
      multiline_tag => ""
    }
    path => "/tmp/testdata"
    start_position => "beginning"
    sincedb_path => "/dev/null"
#    break_on_match => true
  }
}

filter {
  mutate {
    gsub => ["message","\n",""]
}
  mutate {
    remove_field => [ "host", "@version", "path", "tags", "@timestamp", "@version"]
}
  grok {
    match => [ "message", "{%{DATESTAMP_EVENTLOG:date},%{DATA:sda},{%{DATA:qwe},%{INT:cxzc}},%{INT:iueqiwueiquweiq},%{INT:vcxv},%{INT:gff},%{INT:ifjidjfidjfijd},%{INT:ret},%{DATA:nbvn},\\"%{DATA:nbvn}\\",%{INT:vxcv},{\\"P\\",{6,{%{GREEDYDATA:zxckeowkek}},{%{GREEDYDATA:xczx}}}},\\"%{DATA:sdasdew}\\",%{INT:cxzsa},%{INT:nvbre},%{INT:fgwe34c},%{INT:nhrtyew},%{INT:dqrtq}%{GREEDYDATA:drop}" ]
  }
}


output {
    stdout { codec => rubydebug }
#    file { path => "/tmp/debug.out" }
}

Output:

{
       "tags" => [
        [0] "_grokparsefailure"
"message" => "{20181004010443,N,{0,0},640,12,3,20340532,3,s,\"\",0,{\"P\",{6,{\"S\",\"ДАННЫЕ\"},{\"S\",\"LOPS\\ДАННЫЕ\"}}},\"\",1,17,17,258497671,0,{0}},"
}

But why the result is _grokparsefailure? I tested it with Kibana grok debugger and it's working.

trelo · December 11, 2018, 7:42am

Please, help!

it works if send data to stdin, but doesn't with data from file. Why?

In file I've multiline events, they handled by multiline codec to be single line:

{20181004010443,N,{0,0},640,12,3,20340532,3,s,\"\",0,{\"P\",{6,{\"S\",\"ДАННЫЕ\"},{\"S\",\"LOPS\\ДАННЫЕ\"}}},\"\",1,17,17,258497671,0,{0}},

[Album] Imgur

shwesinhan · December 11, 2018, 7:51am

i also have faced multi-line problem
i remove line breaks since app level eg Regex.Replace(str, @"\n|\r", ""); then pass to logstash
it works, no more _grokparsefailure on multiline logs

trelo · December 11, 2018, 8:20am

It's impossible in my case. I've more than 1TB plain log already.

trelo · December 13, 2018, 12:24pm

The problem was with stdout rubydebug. With other outputs works well.

system · January 10, 2019, 12:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok parsefailure Logstash	8	494	June 2, 2020
Grokparsefailure! wtf? Logstash	8	858	June 14, 2020
Logstash - grokparsefailure Logstash	6	343	June 20, 2018
Need more information on logstash Logstash	4	350	July 6, 2017
Getting _grokparsefailure as a tag Logstash	6	492	May 23, 2018

Why _grokparsefailure?

Related Topics