Change field type from filter dissect

Timotius_Pamungkas · January 4, 2018, 11:18am

I use logstash-logback-encoder to send java log files to logstash, and then to elasticsearch. To parse the message in java log, I use following filter to dissect message

input {
  file {
    path => "/Users/MacBook-201965/Work/java/logs/oauth-logstash.log"
    start_position => "beginning"
    codec => "json"
  }
}

filter {
  if "EXECUTION_TIME" in [tags] {
    dissect {
      mapping => {
        "message" => "%{endpoint} timeMillis:[%{execution_time_millis}] data:%{additional_data}"
      }
    }
    mutate {
      convert => { "execution_time_millis" => "integer" }
    }
  }
}

output {
  elasticsearch { 
     hosts => "localhost:9200"
     index => "elk-%{+YYYY}"
     document_type => "log"
  }

  stdout {
    codec => json
  }
}

It dissect the message so I can get value of execution_time_millis. However the data type is string. I created the index using Kibana index pattern. How can I change the data type of execution_time_millis into long?

Here is the sample json message from logback

{  
   "message":"/tests/{id} timeMillis:[142] data:2282||0:0:0:0:0:0:0:1",
   "logger_name":"com.timpamungkas.oauth.client.controller.ElkController",
   "level_value":20000,
   "endpoint":"/tests/{id}",
   "execution_time_millis":"142",
   "@version":1,
   "host":"macbook201965s-MacBook-Air.local",
   "thread_name":"http-nio-8080-exec-7",
   "path":"/Users/MacBook-201965/Work/java/logs/oauth-logstash.log",
   "@timestamp":"2018-01-04T11:20:20.100Z",
   "level":"INFO",
   "tags":[  
      "EXECUTION_TIME"
   ],
   "additional_data":"2282||0:0:0:0:0:0:0:1"
}{  
   "message":"/tests/{id} timeMillis:[110] data:2280||0:0:0:0:0:0:0:1",
   "logger_name":"com.timpamungkas.oauth.client.controller.ElkController",
   "level_value":20000,
   "endpoint":"/tests/{id}",
   "execution_time_millis":"110",
   "@version":1,
   "host":"macbook201965s-MacBook-Air.local",
   "thread_name":"http-nio-8080-exec-5",
   "path":"/Users/MacBook-201965/Work/java/logs/oauth-logstash.log",
   "@timestamp":"2018-01-04T11:20:19.780Z",
   "level":"INFO",
   "tags":[  
      "EXECUTION_TIME"
   ],
   "additional_data":"2280||0:0:0:0:0:0:0:1"
}

Thank you

Timotius_Pamungkas · January 5, 2018, 12:47am

Solved. This works, I've just did some typo on filter mutate

system · February 2, 2018, 12:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.