Why is this logstah filter not working as intended?

drjosephliu · August 13, 2020, 12:01pm

Sorry if this is too related to my previous post, but here goes:

I have two types of messages that I want to send to logstash. One is a "standard" log type message and the other is a JSON object. I only want the message to go through the json filter only if it fails the grok filter. For some reason though, none of the json objects are being parsed, nor are they getting tagged with _grokparsefailure either. In fact, I can't see them at all in kibana. What am I doing wrong here?

filter {
  grok {
    match => { "message" =>
    "\[%{TIMESTAMP_ISO8601:log_time}\]\[%{LOGLEVEL:log_level}\s*\]\[%{DATA:thread_name}\]\[%{DATA:class_name}\]%{GREEDYDATA:log_msg}" }
  }
  if "_grokparsefailure" in [tags] {
    json {
      source => "message"
      add_tag => ["RiskExplain"]
      # remove_tag => ["_grokparsefailure"]
    }
  }
}

Fabio-sama · August 16, 2020, 8:06am

Hi there,

can you try outputting to stdout and let us know what your logs look like? Thanks!

system · September 13, 2020, 8:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.