Im trying to learn conditional filtering, the grok outside expression successfully parsed, but not with grok inside conditional expression.
target
[2020-01-09 08:32:46] VERBOSE[18962][C-0000ceae] pbx.c: Executing [s@macro-dialout-trunk:26] NoOp("PJSIP/3513-0001108e", "Dial failed for some reason with DIALSTATUS = BUSY and HANGUPCAUSE = 19") in new stack
[2020-01-09 08:32:46] VERBOSE[18962][C-0000ceae] pbx.c: Executing [s@macro-dialout-trunk:26] NoOp("PJSIP/3513-0001108e", "Dial failed for some reason with DIALSTATUS = BUSY and HANGUPCAUSE = 19") in new stack
filter
{
grok
{
match =>
{
"message" => "[%{TIMESTAMP_ISO8601:log_timestamp}] +(?<log_level>(?i)(?:debug|notice|warning|error|verbose|dtmf|fax|security)(?-i))[%{INT:thread_id}](?:[%{DATA:call_thread_id}])? %{DATA:module_name}: %{WORD:action}\s[%{DATA:TARGET}@%{DATA:dialplan_context}:%{DATA:dialplan_priority}]\s%{GREEDYDATA:log_message}"
}
add_field => ["receiver_timestamp", "%{@timestamp}"]
add_field => ["process_name","asterisk_failed"]
}
if [action] == "Executing" and [dialplan_priority]=="1"{
grok
{
match =>
{
"log_message"=>"%{DATA:asterisk_app}("%{DATA:protocol}/%{DATA:EXT}-%{DATA:channel}",\s"%{DATA:problem1}-\s%{DATA:problem2}")\s%{GREEDYDATA:all}"
}
}
}
if [action] == "Executing" and [dialplan_priority]=="26"{
grok
{
match =>
{
"log_message"=>"%{DATA:asterisk_app}("%{DATA:protocol}/%{DATA:EXT}-%{DATA:channel}",\s"%{DATA:problem1}\sand\s%{DATA:problem2}")\s%{GREEDYDATA:all}"
}
}
}
}
are there some stuff that needed to be imported to use conditional if?
hi there, thank you for your response, it was one of 2 target, and i forgot to add the other target. i will provide the stdout soon, but can you spot if there are any problem or mistake with my code?
{
"log" => {
"file" => {
"path" => "C:\\Users\\Charles\\Desktop\\DATA\\asdf"
},
"offset" => 209
},
"@timestamp" => 2020-01-21T08:12:40.466Z,
"EXT" => "3513",
"message" => "[2020-01-09 08:32:46] VERBOSE[18962][C-0000ceae] pbx.c: Executing [s-BUSY@macro-dialout-trunk:1] NoOp(\"PJSIP/3513-0001108e\", \"Dial failed due to trunk reporting BUSY - giving up\") in new stack",
"TARGET" => "s-BUSY",
"dialplan_context" => "macro-dialout-trunk",
"protocol" => "PJSIP",
"log_level" => "VERBOSE",
"host" => {
"name" => "D-ESS2018070164"
},
"problem1" => "Dial failed due to trunk reporting BUSY ",
"call_thread_id" => "C-0000ceae",
"receiver_timestamp" => "2020-01-21T08:12:40.466Z",
"action" => "Executing",
"channel" => "0001108e",
"problem2" => "giving up",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"@version" => "1",
"agent" => {
"id" => "6098a674-5dd7-4424-9fd9-848442bac485",
"version" => "7.4.2",
"type" => "filebeat",
"ephemeral_id" => "d81d3c2a-d15c-4e78-8083-a948a2930d5e",
"hostname" => "D-ESS2018070164"
},
"dialplan_priority" => "1",
"thread_id" => "18962",
"log_message" => "NoOp(\"PJSIP/3513-0001108e\", \"Dial failed due to trunk reporting BUSY - giving up\") in new stack",
"all" => "in new stack",
"log_timestamp" => "2020-01-09 08:32:46",
"process_name" => "asterisk_failed",
"asterisk_app" => "NoOp",
"ecs" => {
"version" => "1.1.0"
},
"module_name" => "pbx.c"
}
i just do something, the time i said it failed it really failed because i use the whole data, but ofcourse it contains one of those target. and still the condition not working at all. But when i try only using my target log. It works, it get into the conditional. can you explain this to me?
I only created the filter for my target, there are actually a lot of shape logs but i didnt create their filter.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.