Why is this logstah filter not working as intended?

Sorry if this is too related to my previous post, but here goes:

I have two types of messages that I want to send to logstash. One is a "standard" log type message and the other is a JSON object. I only want the message to go through the json filter only if it fails the grok filter. For some reason though, none of the json objects are being parsed, nor are they getting tagged with _grokparsefailure either. In fact, I can't see them at all in kibana. What am I doing wrong here?

filter {
  grok {
    match => { "message" =>
    "\[%{TIMESTAMP_ISO8601:log_time}\]\[%{LOGLEVEL:log_level}\s*\]\[%{DATA:thread_name}\]\[%{DATA:class_name}\]%{GREEDYDATA:log_msg}" }
  if "_grokparsefailure" in [tags] {
    json {
      source => "message"
      add_tag => ["RiskExplain"]
      # remove_tag => ["_grokparsefailure"]

Hi there,

can you try outputting to stdout and let us know what your logs look like? Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.