search

logstash-plugins / logstash-filter-grok

Grok plugin to parse unstructured (log) data into something structured.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
Apache License 2.0
124 stars 98 forks source link

Exception in Grok Plugin #67

Open nipunarora opened 8 years ago

nipunarora commented 8 years ago

I have confirmed this is a problem in logstash-2.1.0 as well.

I am using logstash-1.4.2 and found a grok exception happening for some of our training and testing files. Can anyone please confirm if the fix is correct? And why exactly the exception happens?

I found the following:

The function match in the file logstash-1.4.2/lib/logstash/filters/grok.rb needs to be changed. The change is highlighted below. I basically added a return false in the rescue exception handler, and some logging informatitio The exception seems to happen for .* expression probably because of increased state machine, but I need to investigate this further. I think (although I am not sure) this is only happening for unmatched patterns. For now we can take the default option of "unmatched" for any exception happening in logstash. Hopefully these exceptions will be uncommon.

One additional thing to note is that the same line can throw multiple exceptions. I confirmed this by looking at the debug output information I added in the exception handler.

private def match(grok, field, event) input = event[field] if input.is_a?(Array) success = true input.each do |input| grok, match = grok.match(input) if match match.each_capture do |capture, value| handle(capture, value, event) end else success = false end end return success

elsif input.is_a?(String)

else
  # Convert anything else to string (number, hash, etc)  
  grok, match = grok.match(input.to_s)
  return false if !match
  match.each_capture do |capture, value|
    handle(capture, value, event)
  end
  return true
end

rescue StandardError => e @logger.warn('------') @logger.warn("Grok regexp threw exception", :exception => e.message) @logger.warn(' The input is ') @logger.warn(input) @logger.warn('------') return false end

jordansissel commented 8 years ago

Can anyone please confirm if the fix is correct?

Is the bug mentioned anywhere? I am not seeing a description of the bad behavior, so I'm not quite able to assess your proposed change.

nipunarora commented 8 years ago

@jordansissel - apologies. I was away for a while. This is a bug that got triggered through logstash in my deployment. I tracked it to this function. However the exception is happening through grok?. I am assuming that's a problem?

jordansissel commented 8 years ago

@nipunarora What exception? Can you show me a stack trace?

nipunarora commented 8 years ago

@jordansissel : I get this exception output from grok, how can I generate a stack trace? Seems like the stack trace is not really being generated, even though an exception is trigerred. I turned on --debug option in logstash:

1078 {:timestamp=>"2016-01-08T15:02:04.787000-0500", :message=>"Grok regexp threw exception", :exception=>"63", :level=>:warn, :file=>"logstash/filters/grok.rb", :line=>"332"}

jordansissel commented 8 years ago

The exception message being '63' is ... confusing me. You'll have to modify the code to get a stack trace. Line 332 of logstash/filters/grok.rb is what prints the log message for your version of logstash, so that'd be a place to start. You can get the stack trace as e.backtrace

jordansissel commented 8 years ago

If you still experience this on newer releases of Logstash, can you provide a sample config and a sample input text that triggers the exception?

nipunarora commented 8 years ago

I do see the exception in the current version of logstash as well. I'll try and see if I can provide a small test-case since I've a particularly large config file with several patterns.

@jordansissel - Please find the debug output using the backtrace here: https://gist.github.com/nipunarora/766ad7f411aca6f3a40a