Customize document fields in elasticsearch

waitangi · July 11, 2018, 9:14am

I need to customize document fields in elasticsearch.
My logstash config is:
input {
file {
type => "IISLog"
path => "C:/inetpub/logs/LogFiles/W3SVC*/*.log"
start_position => "beginning"
}
}

filter {
#ignore comments
if [message] =~ "^#" {
drop {}
}

grok {
	#match => ["message", "%{COMBINEDAPACHELOG}"]
	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{WORD:serverName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
}

mutate {
	add_field => {"bytes_sent" => "%{message}{bytesSent}"}
}

}

output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logs"
}
}

All I want is to add document attribute 'bytes_sent' where bytes_sent is extracted from grok. How to get this part from grok expression? %{message.bytesSent} does not seems to work

waitangi · July 11, 2018, 11:25am

Sorry... My log entry did not matched grok expression. Now it works

system · August 8, 2018, 11:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.