logstash-filter-grok icon indicating copy to clipboard operation
logstash-filter-grok copied to clipboard

Published 20 hours ago verified publisher icon logstash-plugins

Exception in Grok Plugin

Open nipunarora opened this issue 9 years ago • 7 comments

I have confirmed this is a problem in logstash-2.1.0 as well.

I am using logstash-1.4.2 and found a grok exception happening for some of our training and testing files. Can anyone please confirm if the fix is correct? And why exactly the exception happens?

I found the following:

The function match in the file logstash-1.4.2/lib/logstash/filters/grok.rb needs to be changed. The change is highlighted below. I basically added a return false in the rescue exception handler, and some logging informatitio The exception seems to happen for .* expression probably because of increased state machine, but I need to investigate this further. I think (although I am not sure) this is only happening for unmatched patterns. For now we can take the default option of "unmatched" for any exception happening in logstash. Hopefully these exceptions will be uncommon.

One additional thing to note is that the same line can throw multiple exceptions. I confirmed this by looking at the debug output information I added in the exception handler.

private def match(grok, field, event) input = event[field] if input.is_a?(Array) success = true input.each do |input| grok, match = grok.match(input) if match match.each_capture do |capture, value| handle(capture, value, event) end else success = false end end return success #elsif input.is_a?(String)
else # Convert anything else to string (number, hash, etc)
grok, match = grok.match(input.to_s) return false if !match

  match.each_capture do |capture, value|
    handle(capture, value, event)
  end
  return true
end

rescue StandardError => e @logger.warn('------') @logger.warn("Grok regexp threw exception", :exception => e.message) @logger.warn(' The input is ') @logger.warn(input) @logger.warn('------') return false end

nipunarora avatar Dec 24 '15 15:12 nipunarora

Can anyone please confirm if the fix is correct?

Is the bug mentioned anywhere? I am not seeing a description of the bad behavior, so I'm not quite able to assess your proposed change.

jordansissel avatar Dec 28 '15 20:12 jordansissel

@jordansissel - apologies. I was away for a while. This is a bug that got triggered through logstash in my deployment. I tracked it to this function. However the exception is happening through grok?. I am assuming that's a problem?

nipunarora avatar Jan 05 '16 15:01 nipunarora

@nipunarora What exception? Can you show me a stack trace?

jordansissel avatar Jan 06 '16 21:01 jordansissel

@jordansissel : I get this exception output from grok, how can I generate a stack trace? Seems like the stack trace is not really being generated, even though an exception is trigerred. I turned on --debug option in logstash:

1078 {:timestamp=>"2016-01-08T15:02:04.787000-0500", :message=>"Grok regexp threw exception", :exception=>"63", :level=>:warn, :file=>"logstash/filters/grok.rb", :line=>"332"}

nipunarora avatar Jan 08 '16 20:01 nipunarora

The exception message being '63' is ... confusing me. You'll have to modify the code to get a stack trace. Line 332 of logstash/filters/grok.rb is what prints the log message for your version of logstash, so that'd be a place to start. You can get the stack trace as e.backtrace

jordansissel avatar Jan 08 '16 21:01 jordansissel

If you still experience this on newer releases of Logstash, can you provide a sample config and a sample input text that triggers the exception?

jordansissel avatar Jan 08 '16 21:01 jordansissel

I do see the exception in the current version of logstash as well. I'll try and see if I can provide a small test-case since I've a particularly large config file with several patterns.

@jordansissel - Please find the debug output using the backtrace here: https://gist.github.com/nipunarora/766ad7f411aca6f3a40a

nipunarora avatar Jan 10 '16 03:01 nipunarora