Logstash and Grok always show _grokparsefailure

Question

I am using https://grokdebug.herokuapp.com/ to build grok filters for logstash, but even though grokdebug shows corrected parsed message, my kibana showing _grokparsefailure

message [2015-12-01 08:53:16] app.INFO: Calories 4 [] []
pattern %{SYSLOG5424SD} %{JAVACLASS}: %{WORD} %{INT} %{GREEDYDATA}

What am I doing wrong? Notice that first filter with tag "google" and GREEDYDATA works, and second always fails

score 1 · Accepted Answer · answered Dec 01 '15 at 09:48

1

Ok so I found the solution. Correct pattern is: \[%{TIMESTAMP_ISO8601:timestamp}\] %{DATA}%{LOGLEVEL:level}: Calories %{WORD:calories_count} %{GREEDYDATA:msg}
Even tough I used https://grokdebug.herokuapp.com to find the pattern, it was completely irrelevant.

answered Dec 01 '15 at 09:48

ssuperczynski

3,190
3
44
61

The debugger's "Discover" feature really makes a wild guess on the types, based on only one input sample. It's better to set the patterns specifically, as you did. – Alain Collins Dec 01 '15 at 23:54

Logstash and Grok always show _grokparsefailure

1 Answers1