Logstash 2.3.4 issue [solved] #35

paltryeffort · 2016-08-10T09:36:07Z

Hi,
I upgraded my logstash server to 2.3.4 using this filter.

After about a week the java process died with "out of heap space". Increasing the heap didn't help, it just took longer until the java process died.

After long hours of debugging I found a solution to this:

In the file 2030_filter_section_c_parse.conf I replaced the lines:

  grok {
    match => {
      "rawSectionC" => "(?<requestBody>.+)"
    }

with

  mutate {
    add_field => { "requestBody" => "%{rawSectionC}" }
  }

It basically just copies the field rawSectionC to requestBody. That's also what the grok is doing. For me the result is the same.

My logstash 2.3.4 server is running now a couple of weeks with this config without any issues.

For anyone using this filter with logstash 2.x you should also replace the line in the inputs from

  charset => "US-ASCII"

to

 codec => plain { charset => "US-ASCII" }

Other than that the filter is working fine for me with the new logstash version.

The text was updated successfully, but these errors were encountered:

bitsofinfo · 2016-08-10T12:45:15Z

Can you please submit a pull-request w/ the affected fix? I will then create a new release

bitsofinfo · 2016-08-10T12:45:35Z

Also is the change backwards compatible?

bitsofinfo · 2016-09-29T13:59:05Z

@paltryeffort do you have a PR?

bitsofinfo · 2016-11-08T22:43:20Z

fix for #35

bitsofinfo added bug enhancement labels Aug 25, 2016

bitsofinfo added a commit that referenced this issue May 19, 2017

fix for #35

4a844ed

fix for #35

bitsofinfo closed this as completed May 19, 2017

Provide feedback