I am wondering what works best for my Logstash Grok filters. I have some filters that are for specific journal entries, and will not apply to all entries. Those that are not applicable always generate _grokparsefailure tags. For example, I have one grok filter that works fine for each log entry. Then I have another filter, which is for tracking error messages. The trace filter returns a grokparsefailure for each journal entry that does not have a trace.
I would prefer it to simply pass the rule if there is no match instead of adding the parsefailure tag. I use the parsefailure tag to find things that don't parse correctly, and not things that just don't match a specific filter. Maybe this is just the nomenclature of "failure to parse" that bothers me. For me, this means that something is wrong with the filter (for example, poorly formatted), and not that it does not match.
So the question is, how should I handle this?
Make the filter pattern optional using?
(ab) use the tag_on_failure parameter, setting it to nothing []
make the filter conditional using something like "if traceback in message"
something else I do not consider?
Thanks in advance.
EDIT
I took the way to add conditions around the filter:
if [message] =~ /took\s\d+/ { grok { patterns_dir => "/etc/logstash/patterns" match => ["message", "took\s+(?<servicetime>[\d\.]+)"] add_tag => [ "stats", "servicetime" ] } }
However, he is interested in feedback. What is considered "best practice" here?
filter logstash logstash-grok
Spanky Dec 30 '14 at 23:57 2013-12-30 23:57
source share