How to query Log from custom parsing rule?

I made a custom parsing rule and it passes the tests shown that grok displays but I still can’t query the data. It’s supposed to show up in NRQL as facets right? The facets for what I want don’t show up. Here is the screenshot proving it passes the tests.


Here is the grok line:
pid=%{WORD:pid} tid=%{DATA:tid} class=%{WORD:class} jid=%{DATA:jid} (elapsed=%{NUMBER:elapsed} )?INFO:\s+%{WORD:status}

Hi, @vincent14: I just tested your parsing rule against some of your log data, and it works as expected:

Note that parsing rules apply only to log messages received after the rule is enabled; it is not possible to apply parsing rules to existing log data.

I’ll check again but I made the rule over a month ago. Thank you though.
EDIT: I just tried it and it returned this:

Try adding WHERE class IS NOT NULL, or WHERE syslog.procid = 'sidekiq.1'

Still the same thing.

Sorry, you seem to be experiencing this bug:

Parsing rules are not applied to syslogs forwarded from Heroku. The topic says ETA for a fix was in June, which obviously did not happen.

1 Like

Ah, thank you. Is there an updated ETA on that by any chance?

I am not aware of an ETA for this fix. I have flagged your question for help from a support engineer, who can hopefully provide more detail.

1 Like