Logstash 1.4.2 grok filter: _grokparsefailure

Question

i am trying to parse this log line: - 2014-04-29 13:04:23,733 [main] INFO (api.batch.ThreadPoolWorker) Command-line options for this run: here's the logstash config file i use:

input {
        stdin {}
}

filter {
 grok {
    match => [ "message", " - %{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel} %{JAVACLASS:class} %{DATA:mydata} "]
  }

    date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }

output {
  elasticsearch {
    host => "localhost"
  }
  stdout { codec => rubydebug }
}

Here's the output i get:

{
       "message" => " - 2014-04-29 13:04:23,733 [main] INFO (api.batch.ThreadPoolWorker) Commans run:",
      "@version" => "1",
    "@timestamp" => "2015-02-02T10:53:58.282Z",
          "host" => "NAME_001.corp.com",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}

Please if anyone can help me find where the problem is on the gork pattern. I tried to parse that line in http://grokdebug.herokuapp.com/ but it parses only the timestamp, %{WORD} and %{LOGLEVEL} the rest is ignored!

score 0 · Accepted Answer · answered Feb 03 '15 at 01:39

0

There are two error in your config.

First

The error in GROK is the JAVACLASS, you have to include ( ) in the pattern, For example: \(%{JAVACLASS:class}\.

Second

The date filter match have two value, first is the field you want to parse, so in your example it is time, not timestamp. The second value is the date pattern. You can refer to here

Here is the config

input {
        stdin {

        }
}

filter {
        grok {
                match => [ "message", " - %{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel} \(%{JAVACLASS:class}\) %{GREEDYDATA:mydata}"
                ]
        }
        date {
                match => [ "time" , "YYYY-MM-dd HH:mm:ss,SSS" ]
        }
}

output
{
        stdout {
                codec => rubydebug
        }
}

FYI. Hope this can help you.

answered Feb 03 '15 at 01:39

Ban-Chuan Lim

7,840
4
35
52

Thank you Ben for your feedback. I already tried your solution adding \(%{JAVACLASS:class}\ doesn't solve the problem. The pattern JAVACLASS actually works fine when I use it alone in the match pattern it extracts the java class: {... "class" => "api.batch.ThreadPoolWorker" } But when i add the rest of the patterns along with the JAVACLASS it gives me grokparsefailure error tag. I tested the other patterns they work fine too it's just combining all of them together with JAVACLASS that creates an error. Any suggestions please? – sally Feb 03 '15 at 08:57
Your log sample worked on my config. And JAVACLASS pattern is : \\(%{JAVACLASS:class}\\) , include the `\\`. Please have a try with my config. – Ban-Chuan Lim Feb 03 '15 at 09:39
I tried again after deleting all failed logs from elasticsearch and it worked now. Thank you so much for your help. – sally Feb 03 '15 at 09:56
Actually i need to parse a log file that contains thousands of lines of logs those have the same format of the line i showed before and sometimes with java stack trace. but when i added this line to my file entry ** - 2014-04-29 13:04:23,700 [main] INFO (api.batch.ThreadPoolWorker) Loading properties from classpath resource file:/prop/env3/logiciels/jkl/nnh/devprint/splapp/standalone/config/threadpoolworker.properties** it parsed only the first line that i was testing with and not the above one. is this pattern supposed to parse my whole log file? or it would break once it finds a match? – sally Feb 03 '15 at 11:57
You have to use the multiline pattern. Please have a look. http://logstash.net/docs/1.4.2/filters/multiline. If you have another problem, please kindly ask another question. :) – Ban-Chuan Lim Feb 03 '15 at 11:58
i tried the multiline config. can you please take a look at it and tell me what's wrong: input { # stdin {} file { path => "/root/test2.log" start_position => "beginning" }} filter { multiline { pattern => " ^-%{SPACE}%{SPACE}%{TIMESTAMP_ISO8601}" negate => true what => "previous" } grok { match => [ "message", " -%{SPACE}%{SPACE}%{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel}%{SPACE}%{SPACE}\(%{JAVACLASS:class}\) %{GREEDYDATA:mydata}"] } date { match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ] } } – sally Feb 03 '15 at 15:38
the file i use contain these lines: - 2014-04-29 13:04:23,530 [main] INFO (api.batch.ThreadPoolWorker) Command-line options for this run: - 2014-04-29 13:04:23,700 [main] INFO (api.batch.ThreadPoolWorker) Loading properties from classpath resource file:/logiciels/ccnb//splapp/standalone/config/threadpoolworker.properties - 2014-01-14 11:09:38,623 [main] ERROR (support.context.ContextFactory) Error getting connection to database jdbc:oracle:thin:, with user cisuser and driver oracle.jdbc.driver.OracleDriver java.sql.SQLException: ORA-28001: the password has expired – sally Feb 03 '15 at 15:48

Logstash 1.4.2 grok filter: _grokparsefailure

1 Answers1