Adding fields to configuration file

amin224 · January 15, 2020, 9:51am

Hi,
I am running multiple java applications and creating logging files for each one, so i decided to use elastic stack for Centralised Log Management. My question is how can i add port and IP address fields to my index pattern. should i use mutate filter plugin or do i specify them in my input.

Thanks.

grumo35 · January 15, 2020, 10:04am

Hi,

you can use the mutate plugin filter with the add_field option

mutate {
add_field => { "foo" => "bar" }
}

you'll get a field called "foo" with the value "bar"

here is the documentation

grumo35 · January 15, 2020, 10:06am

EDIT : i saw you were trying to search from Kibana

go in "Patterns" and choose your pattern then you can use the refresh button in the top right corner

amin224 · January 15, 2020, 10:12am

Hi grumo35,

Actually this is what i was looking for, Thank you so much. Last question, is it possible for Logstash to enter the port number of the java application after sending a log request?

Is it done like this in my Logstash configuration file

input {
  file {
    type => "java"
    path => "/home/user/microservice1logging/microservice1.log"
    start_position => "beginning"
  }
}

filter {
    mutate {
	add_field => { "Portname" => "%{server.port}" }
	}
}

output {
   
  stdout {
    codec => rubydebug
  }

  elasticsearch {
    hosts => ["localhost:9200"]
  }
}

Using %{server.port}?

grumo35 · January 15, 2020, 10:20am

Elasticsearch is using nested fields so as you see "." dots in fields name this mean the fields actually looks like :

"server":{
    "port:"80"
    "ip":"127.0.0.1"
}

server.port in Kibana equals [server][port] in logstash

filter {
    mutate {
	add_field => { "Portname" => "%{[server][port]}" }
	}
}

amin224 · January 15, 2020, 10:30am

I am getting them hard coded instead of the actual values for the IP address and Port of my java application. Do i have to include them in the input of my logstash conf file?

{
       "message" => "2020-01-15 02:25:20.375  INFO [microservice1,26bb961d71430a27,26bb961d71430a27,false] 22525 --- [http-nio-8001-exec-4] c.s.m.c.Microservice1Controller          : This is an INFO log",
    "@timestamp" => 2020-01-15T10:25:21.403Z,
          "host" => "ubuntu",
     "IPaddress" => "%{[server][ip]}",
      "@version" => "1",
      "Portname" => "%{[server][port]}",
          "path" => "/home/user/microservice1logging/microservice1.log",
          "type" => "java"
}

grumo35 · January 15, 2020, 10:42am

I'm not sure of what you're trying to do here,

What you're doing here is adding the field "Portname" with the value of the field "server.port", but does the server.port field existed previously ?

Can you provide source log samples ?

amin224 · January 15, 2020, 11:30am

Never mind thank you so much for helping me

system · February 12, 2020, 11:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.