Recently I was developing a Logstash script. As I needed to parse data into different documetns, I used the ‘_grokparsefailure’ feature of Logstash. With this feature, we can skip applying other patterns if a pattern has been successfully applied to the input string.
In this script, I was not getting the desired output for one line containing the string SIGTERM. After multiple attempts, I realized that I was not removing the ‘_grokparsefailure’ element from the ‘tags’ collection maintained by Logstash. While that by itself was not hampering the display, it was the fact that I had checked this flag in the ‘output’ section of the Logstash script, in order to display only valid documents on standard out.