Customize document fields in elasticsearch

waitangi · July 11, 2018, 9:14am

I need to customize document fields in elasticsearch.
My logstash config is:
input {
file {
type => "IISLog"
path => "C:/inetpub/logs/LogFiles/W3SVC*/*.log"
start_position => "beginning"
}
}

filter {
#ignore comments
if [message] =~ "^#" {
drop {}
}

grok {
	#match => ["message", "%{COMBINEDAPACHELOG}"]
	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:serviceName} %{WORD:serverName} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
}

mutate {
	add_field => {"bytes_sent" => "%{message}{bytesSent}"}
}

}

output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logs"
}
}

All I want is to add document attribute 'bytes_sent' where bytes_sent is extracted from grok. How to get this part from grok expression? %{message.bytesSent} does not seems to work

waitangi · July 11, 2018, 11:25am

Sorry... My log entry did not matched grok expression. Now it works

system · August 8, 2018, 11:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Not displaying fields specified in the Logstash filter Logstash	11	4653	July 6, 2017
Grok for parsing java Log Logstash	9	22864	July 6, 2017
Fields not appearing in Kibana which are defined in Logstash Logstash	20	3254	May 2, 2018
Logstash: Adding custom field to documennt Logstash	6	1176	August 8, 2018
I need add field, and do value counter, how do it? Elasticsearch	8	503	March 12, 2022

Customize document fields in elasticsearch

Related topics