Nagios Support Forum

Posted: **Tue Nov 25, 2014 11:18 pm**

Hi

Needed some help with a potential poorly formed filter.

I have the below filter in place on my log server:

if [SourceModuleName] == 'adv_iis_log1.voy-web1-ec2' {
mutate {
replace => [ 'host', 'voy-web1-ec2' ]
}
}

if [SourceModuleName] == 'adv_iis_log1.voy-web2-ec2' {
mutate {
replace => [ 'host', 'voy-web2-ec2' ]
}
}

Now the above filter is working great for anything where it matches the SourceModuleName. However for everything else say a syslog entry for a router it will add tags with _grokparsefailure

Does anyone see what I am doing wrong?

Cheers,
Dom

Posted: **Wed Nov 26, 2014 12:46 pm**

I think this just implies there was no match. From the logstash faq(http://logstash.net/docs/1.2.0/filters/grok):

tag_on_failure

Value type is array
Default value is ["_grokparsefailure"]

If true, ensure the '_grokparsefailure' tag is present when there has been no successful match

Posted: **Wed Nov 26, 2014 6:31 pm**

thank you that makes alot of sense now

Posted: **Mon Dec 01, 2014 10:01 am**

Are we clear to close the thread or do you have more questions regarding the issue?

Nagios Support Forum

_grokparsefailure

_grokparsefailure

Re: _grokparsefailure

Re: _grokparsefailure

Re: _grokparsefailure