Grok Parse Failure
Posted: Thu Jun 13, 2019 7:26 am
Hello LOG Support
We are having _grokparsefailure for these messages:
{"EventReceivedTime":"2019-06-13 08:23:39","SourceModuleName":"windowsfile","SourceModuleType":"im_file","message":"11,06/13/19,08:23:38,Renew,10.64.121.104,,08000FA3DBCC,,3849900216,0,,,,0x697070686F6E652E6D6974656C2E636F6D00,,,,,0"}
and that filter (created by support for us)
if [type] == "DHCPlog" {
grok {
match => { "message" => "%{INT:number},%{DATE:date},%{TIME:time},%{WORD:mtype},%{IP:ip},%{HOSTNAME:computername},%{BASE16NUM:mac},%{GREEDYDATA}"}
}
}
We are having _grokparsefailure for these messages:
{"EventReceivedTime":"2019-06-13 08:23:39","SourceModuleName":"windowsfile","SourceModuleType":"im_file","message":"11,06/13/19,08:23:38,Renew,10.64.121.104,,08000FA3DBCC,,3849900216,0,,,,0x697070686F6E652E6D6974656C2E636F6D00,,,,,0"}
and that filter (created by support for us)
if [type] == "DHCPlog" {
grok {
match => { "message" => "%{INT:number},%{DATE:date},%{TIME:time},%{WORD:mtype},%{IP:ip},%{HOSTNAME:computername},%{BASE16NUM:mac},%{GREEDYDATA}"}
}
}