Added fields are not displaying

sushmithak · July 6, 2015, 9:57am

Hi,
I have added some fields like received_at and received_from using add_field in logstash configuration file,but these fields are not displaying anywhere.
Where these fields will be displayed.I want these fields to be displayed in logstash.stdout file.
here is my logstash configuration file.

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

please anyone suggest me...

magnusbaeck · July 6, 2015, 10:39am

This should work. Is your grok filter successful (i.e. doesn't add a _grokparsefailure tag)? Please reduce your configuration to a minimal example that exhibits the problem.

sushmithak · July 6, 2015, 10:45am

Thanks Magnus,
I am not getting _grokparsefailure tag.But these fields are not displaying in logstash.stdout file.
have any suggestions to make these fields displayed in logstash.stdout file?

Christian_Dahlqvist · July 6, 2015, 10:48am

Do you see any of the other parsed fields, e.g. syslog_pid, in the output? What does your input block look like?

sushmithak · July 6, 2015, 10:56am

No ,i'm not getting other fields also in the output.
My input block is like this:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

sushmithak · July 6, 2015, 11:10am

output is like this :

"message" =>
"@version" =>
"@timestamp" =>
"type" =>
"file" =>
"host" =>
"offset" =>

what changes i have to do to display the remaining fields also in the output?

magnusbaeck · July 6, 2015, 11:11am

But it's not quite like that, right? Surely you have something after "=>" on each line? Are you using the rubydebug codec for your output plugin?

sushmithak · July 6, 2015, 11:18am

yes i'm using ruby debug,
my original output look like this:

   "message" => "Jul  6 02:31:19 ..........................",
  "@version" => "1",
"@timestamp" => "2015-07-06T10:54:47.659Z",
      "type" => "cloudera",
      "file" => "/var/log/navigator.log",
      "host" => "syslogserver",
    "offset" => "9293240"

why the fields i'm parsing are not getting displayed in the output?
please help me...

magnusbaeck · July 6, 2015, 11:20am

Your grok filter is wrapped in a

if [type] == "syslog" {
  ...
}

conditional, yet the type of this message is "cloudera".