Will Grok fail if the grok field does not exist?

anhlqn · August 17, 2016, 11:03pm

Given that I have the following grok

filter {
  grok { match => { "my_abc" => "Duration: %{NUMBER:duration}" } }
}

Will grok fail if the my_abc field does not exist in the message?
Would it be necessary to check for field existence first as in

filter {
  if [my_abc] {
      grok { match => { "my_abc" => "Duration: %{NUMBER:duration}" } }
  }
}

Thanks

magnusbaeck · August 18, 2016, 5:35pm

Easy enough to test, right?

$ echo '' | /opt/logstash/bin/logstash -e 'filter { grok { match => { "does not exist" => "does not match" } } }'
Settings: Default pipeline workers: 8
Pipeline main started
{
       "message" => "",
      "@version" => "1",
    "@timestamp" => "2016-08-18T17:34:39.876Z",
          "type" => "stdin",
          "host" => "bertie",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}

Topic		Replies	Views
Add a tag if a field exists Logstash	4	11745	September 21, 2017
Logstash filter "if" condition to check if field exist or not Logstash	2	8125	April 22, 2021
Grok filter: check if field exists Logstash	5	12559	June 25, 2018
Issues with if statement, grok, and mutate Logstash	1	3381	July 6, 2017
Problem to setup sub flieds Logstash	6	255	July 5, 2022

Will Grok fail if the grok field does not exist?

Related topics