How to troubleshoot _grokparsefailure ??

[KDGundermann]

I'm using OPNsense 22.4 with pfELK 22.04 and having the unbound messages tagged with _grokparsefailure

How can I troubleshoot this parsing errors?

Looking at logstash-plain.log there are no related infos to unbound

[a3ilson]

Take the original log message form discoverer (Kibana). Then, insert that log message within the Grok Debugger (Under Dev Tools). Next, take the pfelk.grok pattern file and insert that with the Grok Debugger. Finally, submit your improvements to this repo and share with others.

Note: You'll want to take the filter_message vs the entire message.

Reference:
https://www.elastic.co/guide/en/kibana/current/xpack-grokdebugger.html