Can we add fields value based on regex patterns in include_lines for the same log

krishanagrawal · November 14, 2018, 8:49am

I am parsing a log file which has error from 3 different process.
I have added the input file in path and have added the 3 regex pattern in include line unique to 3 processes.
Can I add field column which will be populated with the log line based on the regex pattern it matched in include_lines tag?

eg:

logs are:
[p1_err] adc....
[p2_err] adc....
[p3_warn] adc....
[p1_warn] adc....
[p3_err] adc....
....

in my filebeat.yml

filebeat.inputs:

type: log
paths:
- <log_file>
  include_lines: ['p1_err', 'p2_err', 'p3_err']

I want to see the count of p1_err,p2_err,p3_err lines in output on kibana.

steffens · November 14, 2018, 3:41pm

include_lines is just for prefiltering, it's no parser.

You can either go schemaless and use filtering on the "message" field in kibana UI in order to count events matching a pattern or use grok (Logstash or Ingest Node), or dissect (Filebeat or Logstash or Ingest Node) to do some minimal parsing. E.g. see Filebeat dissect docs.

system · December 12, 2018, 3:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat to ouput which pattern matched from the include_lines list Beats filebeat	5	1305	July 12, 2017
Filebeat add field based on line content Beats filebeat	1	347	March 3, 2020
Allow Filebeat to add folder names as fields Beats	4	1450	June 7, 2017
Using a regex in the custom field of Filebeat Beats	6	4209	April 27, 2018
Filebeat "Provided Grok expressions do not match field value" Beats filebeat	1	1106	January 7, 2021

Can we add fields value based on regex patterns in include_lines for the same log

Related topics