Customize document fields in elasticsearch

waitangi · July 11, 2018, 9:14am

I need to customize document fields in elasticsearch.
My logstash config is:
input {
file {
type => "IISLog"
path => "C:/inetpub/logs/LogFiles/W3SVC*/*.log"
start_position => "beginning"
}
}

filter {
#ignore comments
if [message] =~ "^#" {
drop {}
}

grok {
	#match => ["message", "%{COMBINEDAPACHELOG}"]
	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{WORD:serverName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
}

mutate {
	add_field => {"bytes_sent" => "%{message}{bytesSent}"}
}

}

output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logs"
}
}

All I want is to add document attribute 'bytes_sent' where bytes_sent is extracted from grok. How to get this part from grok expression? %{message.bytesSent} does not seems to work

waitangi · July 11, 2018, 11:25am

Sorry... My log entry did not matched grok expression. Now it works

system · August 8, 2018, 11:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Not displaying fields specified in the Logstash filter Logstash	11	4647	July 6, 2017
Logstash - adding new fields Logstash	3	4343	February 11, 2017
Grok for parsing java Log Logstash	9	22843	July 6, 2017
Fields not appearing in Kibana which are defined in Logstash Logstash	20	3243	May 2, 2018
Logstash: Adding custom field to documennt Logstash	6	1175	August 8, 2018

Customize document fields in elasticsearch

Related Topics