Enrich filebeat content using ingest pipeline

dwjvaughan · December 6, 2016, 3:00pm

I want to use filebeat to send Oracle alert logs to Elasticsearch. So far I've managed to get the data in (using some multiline magic). Ideally I want to use a pipeline on the ES side to extract the date, errors (ORA-), keywords etc. from the message and have them as separate fields in the indexes. I vaguely remember seeing something similar demonstrated at Elastic{ON} London, wish I'd been paying more attention!

If anyone knows if/how this can be done, I'd really appreciate some guidance.

Many thanks,
Dave

EDIT: OK, so I found some documentation: https://www.elastic.co/guide/en/elasticsearch/reference/master/grok-processor.html

So now I have this:

post _ingest/pipeline/_simulate
{
  "pipeline": {
  "description" : "grok test",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": ["%{DATESTAMP_OTHER:ora-date}"]
      }
    }
  ]
},
"docs":[
  {
    "_source": {
      "message": "Wed Aug 26 16:29:35 2015\nStarting background process CJQ0"
    }
  }
  ]
}

The issue I have is that the Oracle date doesn't appear to be in a standard setting, can I extract this using Grok?

The above gives me the following (presumable because the date is in the wrong format):

java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: Provided Grok expressions do not match field value: [Wed Aug 26 16:29:35 2015\nStarting background process CJQ0

dwjvaughan · December 7, 2016, 8:36am

Just in case anyone stumbles upon this, I've managed to extract the date successfully. I'm no regexpert (haha!), and I'm sure there's a more graceful way, but it is working:

post _ingest/pipeline/_simulate
{
  "pipeline": {
  "description" : "grok test",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": ["%{ORADATE:ora-date}"],
        "pattern_definitions": {
          "ORADATE" :
          "^[A-Z]{1}[a-z]{2} [A-Z]{1}[a-z]{2} [0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{4}"
          
        }
      }
    },
      {
      "date": {
        "field": "ora-date",
        "formats": [ "EEE MMM dd HH:mm:ss YYYY" ]
      }
    }
  ]
},
"docs":[
  {
    "_source": {
      "message": "Wed Aug 26 16:29:35 2015\nStarting background process CJQ0"
    }
  }
  ]
}

ruflin · December 7, 2016, 8:49am

@dwjvaughan Glad you found a solution and thanks for sharing it with the community.

steffens · December 7, 2016, 12:42pm

Great you got this working.

ingest node grok ships some default grok patterns. see github. Not sure how you could re-use these patterns or enhance by installing your own ones.

system · January 4, 2017, 12:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat error using ingest pipeline: Provided Grok expressions do not match field value Beats filebeat	4	6095	June 15, 2017
Struggling with filebeat and elasticsearch ingest pipeline for processing custom log file that has weird date/time format Beats filebeat	8	1533	September 18, 2020
Filebeat Apache Module Ingest Pipeline Beats filebeat	1	586	October 18, 2019
Some questions about Filebeat that are not clear in the docs Beats filebeat	6	633	July 12, 2019
Converting logstash to filebeat module strangeness Beats filebeat	9	386	July 11, 2019

Enrich filebeat content using ingest pipeline

Related Topics