Logstash continued grokking after _grokparsefailure

Question

Goodday,

(using logstash 1.4.2)

I'm trying to do something like:

filter {
 if type == "feed" {
   grok {
     match => [ "message", "%{COMBINEDAPACHELOGS}" ]
     add_tag => [ "grokked", "web" ]
     tag_on_failure => [ "notweb" ]
   }
  }
  if type == "feed" and "notweb" in [tags] {
    grok {
      patterns_dir => "/opt/logstash/patterns"
      match => [ "message", "%{ERROPARSING}" ]
      add_tag => [ "grokked", "%{[level]}" ] # %{level} named from ERRORPARSING
    }
   }
}

But all the notweb stuff ends up with a _grokparsefailure as if the next step wasn't tested/evaluated.

%{ERRORPARSING} tested correct in the grokdebugger.

I'm not too sure whether I should ask this in StackExchange or StackOverflow, it's not really programming, but still it is %-| — Hevisko, Mar 19 '15 at 14:09

score 1 · Answer 1 · answered Apr 29 '15 at 22:09

Not sure if this is the cause, but a suggestion anyway, this:

if type == "feed" and "notweb" in [tags] {

Is perhaps not totally needed, unless you have multiple different things you're tagging notweb, in which case you could change the tag:

if "notweb" in [tags] {

Also, just because something works in the grokdebugger, doesn't always mean it will work in logstash, there are a few differences, paste your pattern if my first suggestion doesn't help

Logstash continued grokking after _grokparsefailure

1 Answers1