Hello Magnus,
thanks for you help, but your hint does not solve the problem.
This is my complete filter I am use:
filter {
grok {
match => [ "message", "<%{BASE10NUM}>%{MONTH:month}%{SPACE}%{MONTHDAY:day}%{SPACE}%{TIME:time}%{SPACE}%{HOSTNAME:server}%{SPACE}%{DATA:logfile}:%{SPACE}%{GREEDYDATA:message}" ]
overwrite => [ "message" ]
remove_field => [ "host" ]
}
csv {
columns => ["level","severity", "logger", "aspnet-sessionid", "organisation", "correlationState", "user", "msg", "exception", "method", "messageType"]
separator => ","
remove_field => [ "severity" ]
}
}
This is the output I receive from logstash:
{
"message" => [
[0] "Debug,10,SiebelThreadDispatcher,wwlv1ixzk35ypqo5oe20sjse,de,,user,Released slot for siebel webservice communication.,,SiebelThreadDispatcher,LogEntry"
],
"@version" => "1",
"@timestamp" => "2015-07-02T11:58:28.315Z",
"host" => "server",
"path" => "/tmp/test_oo.log",
"tags" => [
[0] "_grokparsefailure"
],
"level" => "Debug",
"logger" => "SiebelThreadDispatcher",
"aspnet-sessionid" => "wwlv1ixzk35ypqo5oe20sjse",
"organisation" => "de",
"correlationState" => nil,
"user" => "user",
"msg" => "Released slot for siebel webservice communication.",
"exception" => nil,
"method" => "SiebelThreadDispatcher",
"messageType" => "LogEntry"
I am pretty sure that this has to be correct. Also the online grok evaluator don't show me any error. But I still receive a grokparsefailure.
Greetz,
ABecker