1

here is my log file:

a491489d-3b68-4e19-ba08-cfbe0d910fb9|Exception|f329ba4e-829f-49d1-95fc-e15c5b338d66|Portal.NlogTester|8664e362-f63d-4d10-8a23-3b86b9f22cc7|Portal|TESTER|Button1_Click|08/23/2015 12:51:28|DivideByZeroException|TransactionLog|Attempted to divide by zero.|System.DivideByZeroException: Attempted to divide by zero. at Nlog2Esbtest.WebForm1.Button1_Click(Object sender, EventArgs e) in c:\Users*****\Documents\Visual Studio 2012\Projects\Nlog2Esbtest\Nlog2Esbtest\WebForm1.aspx.cs:line 24

and here is my logstash config:

input {
  file {
    path => "c:\logs\log1.txt"
    start_position => "beginning"
  }
}
filter {    
            grok {
            match => { "message" => "%{UUID:UserId}\|%{WORD:LogType}\|%{UUID:TransactionCode}\|%{JAVACLASS:ServiceName}\|%{UUID:ServiceId}\|%{WORD:Context}\|%{WORD:EntityClass}\|%{WORD:Methods}\|%{DATESTAMP:ActivityTime}\|%{WORD:LogSubType}\|%{WORD:path}\|%{GREEDYDATA:Title}" }
            tag_on_failure => []
             }
        }   
output {
            stdout{}
            file {path => "c:\logs\logout1.txt" }

        }

no matter what i do i keep getting 2 lines in my output files:

{"@timestamp":"2015-08-23T12:58:55.039Z","tags":["_grokparsefailure"]}

and then:

{"message":"059306b7-bee6-421f-a93b-af120a908ab5|Exception|016eb0f4-45b9-4e58-a5d6-98f3c50d207a|Portal.NlogTester|8664e362-f63d-4d10-8a23-3b86b9f22cc7|Portal|TESTER|Button1_Click|08/23/2015 12:58:54|DivideByZeroException|TransactionLog|Attempted to divide by zero.|System.DivideByZeroException: Attempted to divide by zero. at Nlog2Esbtest.WebForm1.Button1_Click(Object sender, EventArgs e) in c:\Users\elitzur.eisner\Documents\Visual Studio 2012\Projects\Nlog2Esbtest\Nlog2Esbtest\WebForm1.aspx.cs:line 24\r","@version":"1","@timestamp":"2015-08-23T12:58:55.255Z","host":"SlavaNili","path":["c:\logs\log1.txt","TransactionLog"],"UserId":"059306b7-bee6-421f-a93b-af120a908ab5","LogType":"Exception","TransactionCode":"016eb0f4-45b9-4e58-a5d6-98f3c50d207a","ServiceName":"Portal.NlogTester","ServiceId":"8664e362-f63d-4d10-8a23-3b86b9f22cc7","Context":"Portal","EntityClass":"TESTER","Methods":"Button1_Click","ActivityTime":"08/23/2015 12:58:54","LogSubType":"DivideByZeroException","Title":"Attempted to divide by zero.|System.DivideByZeroException: Attempted to divide by zero. at Nlog2Esbtest.WebForm1.Button1_Click(Object sender, EventArgs e) in c:\Users\elitzur.eisner\Documents\Visual Studio 2012\Projects\Nlog2Esbtest\Nlog2Esbtest\WebForm1.aspx.cs:line 24\r"}

the second line is fine. but i keep geeting this grokfailure forsome reason. any one has any clue?

p.s. i have cheked that the config is good with --configtest

thanks for any help :)

elitzur e
  • 65
  • 10

2 Answers2

0

Your posting is a bit of a mess, but...

In your grok{}, you have tag_on_failure = [ ], so logstash should not set the grokparsefailure message at all.

I would guess that you have other grok{} stanzas in your config that are failing. Try setting tag_on_failure to something unique for each one; that will identify which one is actually failing.

Alain Collins
  • 16,268
  • 2
  • 32
  • 55
0

I ended up restarting the JAVA.exe service... which fixed the problem for me.

Perhaps logstash was running older version of my config... but either way, it's fine now.

Matt
  • 74,352
  • 26
  • 153
  • 180
elitzur e
  • 65
  • 10
  • i answerd my own question. whats worng with that?? – elitzur e Aug 25 '15 at 12:18
  • please spend more time writing and formatting your answer in future. Before I edited it, it was *very* hard to read, which would explain how it was mistook for not-an-answer. – Matt Aug 25 '15 at 18:17