Logstash continued grokking after _grokparsefailure

groklogstash

Goodday,

(using logstash 1.4.2)

I'm trying to do something like:

filter {
 if type == "feed" {
   grok {
     match => [ "message", "%{COMBINEDAPACHELOGS}" ]
     add_tag => [ "grokked", "web" ]
     tag_on_failure => [ "notweb" ]
   }
  }
  if type == "feed" and "notweb" in [tags] {
    grok {
      patterns_dir => "/opt/logstash/patterns"
      match => [ "message", "%{ERROPARSING}" ]
      add_tag => [ "grokked", "%{[level]}" ] # %{level} named from ERRORPARSING
    }
   }
}

But all the notweb stuff ends up with a _grokparsefailure as if the next step wasn't tested/evaluated.

%{ERRORPARSING} tested correct in the grokdebugger.

Best Answer

Not sure if this is the cause, but a suggestion anyway, this:

if type == "feed" and "notweb" in [tags] {

Is perhaps not totally needed, unless you have multiple different things you're tagging notweb, in which case you could change the tag:

if "notweb" in [tags] {

Also, just because something works in the grokdebugger, doesn't always mean it will work in logstash, there are a few differences, paste your pattern if my first suggestion doesn't help

Related Topic