Apply grok pattern based on logfile name

Mehak_Bhargava · January 28, 2020, 6:42pm

Under one index I have multiple log files and one of those log file will use a different grok format than the other three log files. How can I apply grok pattern based on if statement on file name? For example,

- type: log

  enabled: true
  input_type: log
  fields:
    tags: ["obapp-dotnet"]

  paths:
    - 'C:\Program Files (x86)\ESQ SST\Logs\OBWebAPI\log.txt'
    - 'C:\Program Files (x86)\ESQ SST\Logs\OBWebAPI\exceptionlog.txt'
    - 'C:\Program Files (x86)\ESQ SST\Logs\IMSService\dispatcher.txt'

This is a block of my filebeat.yml. I want that under index "obapp-dotnet", log.tct and exceptionlog.txt use one grok pattern and dispatcher.log uses another type of grok pattern.
So,

if {dispatcher.log} use pattern1
else {exceptionlog.txt} use pattern 2

My filter block right now is-

filter {
  if[fields][tags] =="obapp-java" {
    grok {
      break_on_match => false
      match => {
        "message" => [\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA}%{SPACE}%{JAVACLASS:javaClass} ]
      }
    }
filter {
    grok {
       match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
    }
  }
} else if [fields][tags] == "obapp-dotnet" {
    grok {
      break_on_match => false
      match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
      if [path] = "dispatcher.log" {
	     grok{
		    match => {
               "message" => [ ------- ]
	          }
        	 }
      else {
	  match => {
        "message" => [\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA}%{SPACE}%{JAVACLASS:javaClass}
          ]
      }
	 }
    }
}
}

Mehak_Bhargava · January 28, 2020, 7:07pm

@Christian_Dahlqvist, what would you suggest here> Is the logstash in right format?

Mehak_Bhargava · January 28, 2020, 11:56pm

@mancharagopan Any suggestion for the logstash file? This format isnt working.

mancharagopan · January 29, 2020, 3:02am

it should be if [path] == "dispatcher.log" {

mancharagopan · January 29, 2020, 3:10am

Use Prospectors in filebeat configuration file to add fields.

Example:

filebeat:
  prospectors:
    - paths:
        - 'C:\Program Files (x86)\ESQ SST\Logs\IMSService\dispatcher.txt'
      fields:  {log_type: dispatcher}

Logstash:
filter {
  if [fields][log_type] == "dispatcher" {
    grok {
	match => {
              "message" => [ ------- ]
        }
    }
  }
}

Mehak_Bhargava · January 29, 2020, 7:20am

@mancharagopan Thanks. But by adding

the index will be dispatcher and not obapp-dotnet. How can we have obapp-dotnet as index and still a file identifier for each file?

Mehak_Bhargava · January 29, 2020, 7:23am

@mancharagopan will this line be helpful in creating path as a field and then apply if statement on path since it will have file name such as dispatcher?

Although I tried this line and it doesnt create "path" as field. I would expect this line would create a field called Path: dispatcher.log. Or any other suggestion how I could have filename extracted in grok?

mancharagopan · January 29, 2020, 8:28am

How are you separating indexes? Which field you are using?

mancharagopan · January 29, 2020, 8:30am

can you share how the raw data looks like?

Mehak_Bhargava · January 29, 2020, 4:19pm

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true
  input_type: log
  fields:
    tags: ["obapp-dotnet"]

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - 'C:\Program Files (x86)\ESQ SST\Logs\OBWebAPI\log.txt'
    - 'C:\Program Files (x86)\ESQ SST\Logs\OBWebAPI\exceptionlog.txt'
    - 'C:\Program Files (x86)\ESQ SST\Logs\IMSService\log.txt'
    - 'C:\Program Files (x86)\ESQ SST\Logs\IMSService\exceptionlog.txt'    
- type: log

  enabled: true
  input_type: log
  fields:
    tags: ["obapp-java"]

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - 'C:\Program Files (x86)\ESQ SST\DispatcherApp\logs\*.log'
    - 'C:\Program Files (x86)\ESQ SST\RBACService\logs\*.log'
    - 'C:\Program Files (x86)\ESQ SST\OBAPI\logs\*.log'

this is block of filebeat.yml. The two tags get created as seperate indexes.

filter {
  if[fields][log_type] =="obapp-java" {
    grok {
	#breaks if first match good, hence false to consider second match too.
      break_on_match => false
      match => {
        "message" => [\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA}%{SPACE}%{JAVACLASS:javaClass}
         ]
      }
    }
filter {
    grok {
       match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
    }
  }
} 

else if [fields][log_type] == "obapp-dotnet" {
    grok {
      break_on_match => false
	  match => ["path","%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"]
	  if [path] = "dispatcher.log" {
	     grok{
		    match => {
               "message" => [  ]
			   }
			 }
      else {
	  match => {
        "message" => [\A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA}%{SPACE}%{JAVACLASS:javaClass}
          ]
      }
	 } 
    }
}
}
}

Mehak_Bhargava · January 29, 2020, 4:21pm

````onapp-dotnet````
'C:\Program Files (x86)\ESQ SST\Logs\OBWebAPI\log.txt
27/01/2020 00:04:56   (null)                  INFO   10   OB.WebAPI.Business.Logic.OBWebAPIManager..ctor Entry Time - 27-01-2020 00:04:56.172 
'C:\Program Files (x86)\ESQ SST\Logs\OBWebAPI\exceptionlog.txt' - \A%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:logLevel}%{SPACE}%{GREEDYDATA}%{SPACE}%{JAVACLASS:javaClass}
2020-01-02 15:19:40,710:               (null) ERROR: (ESQ.CrossCutting.Instrumentation.ExceptionLoggingAspectAttribute.OnException(),Ln 0): OB.WebAPI.OBWebAPI.OB.WebAPI.Contracts.v1.IMS.GetIncidentArray failed. Message:Value cannot be null.
````onapp-java````
'C:\Program Files (x86)\ESQ SST\DispatcherApp\logs\dispatcher.log 
2020-01-27 03:11:21,038 [DispatcherScheduler_Worker-2] INFO   o.a.c.h.HttpMethodDirector - Retrying request
'C:\Program Files (x86)\ESQ SST\RBACService\logs\rbac.log 
2020-01-27 00:21:23,337 INFO  [qtp2141445292-70219] org.eclipse.jetty.server.session - Session node0mppnjr4chzg1eps3zohnru4217853 already being invalidated
C:\Program Files (x86)\ESQ SST\OBAPI\logs\*.log
20191203 04:50:54.671 [main] INFO  o.s.b.f.x.XmlBeanDefinitionReader - Loading XML bean definitions from class path resource [config/obapi-custom-data-config.xml]

Under first index are two file paths mentioned with a sample of log type stored in them. So with index onapp-dotnet, file path is "c:....log.txt' and the format of log in it is in next line.

system · February 26, 2020, 4:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to apply different filters based on particular name of files without using Filebeat Logstash	5	864	July 16, 2019
Sprintf reference in grok pattern (help me~!) Logstash	5	314	April 13, 2020
Apply grok pattern based on the log file path Logstash	41	1526	July 13, 2023
Grok condition for two different type of files Logstash	6	1907	July 6, 2017
Conditional grok Logstash	8	33052	July 6, 2017

Apply grok pattern based on logfile name

Related topics