EFK | Filebeat

Hassan_Ahmed · October 17, 2023, 1:02pm

[2023-10-16 12:43:41] | DEBUG | watch_dir | django.utils.autoreload | Watching dir /home/hassan/Documents/PROJECTS/vault-api/venv/lib/python3.10/site-packages/oauth2_provider/locale with glob.

I have a log file above with "|" seprated and i want to dissect and tokenize it with filebeat processors and put the value in add_fields fields. Please correct me if i am doing wrong thanks

Example:

filebeat.inputs:

type: log
enabled: true
paths:
- /usr/share/filebeat/logs/*.log
  multiline.pattern: '^['
  multiline.negate: true
  multiline.match: after

output.elasticsearch:
hosts: ["elasticsearch:9200"]

processors:

dissect:
tokenizer: '"[%{asctime}] | %{levelname} | %{funcName} | %{name} | %{message}"'
field: "message"
target_prefix: ""
add_fields:
target: Project
fields:
Time: "%{asctime}"
Level: "%{levelname}"
Function: "%{funcName}"
Name: "%{name}"
Message: "%{message}"

suman.kumar · November 1, 2023, 2:02pm

Hi @Hassan_Ahmed

By default filebeat is having "message" field, so won't be able to create a new field with same name.

Could you please try below without add_fields. Following contents will automatically add field name mentioned in {}.

dissect:
tokenizer: '%{asctime} | %{levelname} | %{funcName} | %{name} | %{message_new}'
field: "message"
target_prefix: ""

Thanks..!!

system · November 29, 2023, 2:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to extract string from the log and create a new field and send to elastic search index Beats filebeat	3	610	July 23, 2023
Moving from ELK to EFK Beats docker , filebeat	3	1191	November 26, 2019
About FileBeat Dissect processor Beats filebeat	2	852	October 28, 2022
Edditing The Filebeat Default Mappings Beats filebeat	2	410	November 8, 2019
Nginx module and keyword fields Beats filebeat	3	978	November 30, 2017

EFK | Filebeat

Related Topics