Grok pattern makes output processing stop

Hi,
we have set up a grok pattern to parse the message field of a log event. The grok pattern is run inside a pipeline rule taking care of a stream dedicated to all (and only) of those events.
Its been successfully tested with sample data.

Shortly after the pipeline is made active all graylog nodes in charge stop processing (In: many / Out: 0).
A process buffer dump shows all threads blocked. When processing stops so does logging (server.log)

How can I find out what’s going wrong?

CentOS7, graylog 4.1.10

Behaviour seems similar to what was posted here:

Graylog nodes stop outputting/fill up buffers - Graylog - Graylog Community

Thanks for help,

mk

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

you could use the debug() function in your pipeline rule and watch what it is you are parsing in the Graylog logs. it may not capture the exact message but it will give you the vicinity.

you might a anchor the start of your Grok to the stat of the message with ^

You could post the grok, sample message and pipeline rule (obfuscated and using the </> tool to make it readable) for others to comment on.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.