Everchanging Pattern - Logstash

adic26 · June 13, 2017, 2:25pm

Hello all,

I am completely a newbie on this. I have started to use the ELK on my system, and it is great to grab the known patterns. So far I have gotten my system to grab logfiles via Filebeat to parse the logfiles and ship it to logstash , where logstash grabs the known pattern and bob's my uncle!

However, in my situation I have a unique problem. My application sometimes fails on an unknown situation, where I want to assess and then it becomes a known pattern which I would add to logstash configuration. Is there such a system with ELK that it can grab unknown patterns and lets the system admin know ? Or some sort of visualization system that lets me know that there were logfiles that was shipped to logstash, but logstash was unable to recognize the pattern?

Thanks

magnusbaeck · June 13, 2017, 2:32pm

It's not clear from your question what kind of filters you have, but many Logstash filters add tags when they fail. The grok filter for example adds a _grokparsefailure tag when none of the provided expressions match the event. You could search for events with that tag in Kibana or you could set up Elastic Watcher or Elastalert to fire an alert when it sees new such events.

adic26 · June 13, 2017, 2:35pm

Thanks so much! I needed a nudge in the right direction.

system · July 11, 2017, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tag with pattern used Logstash	3	563	May 9, 2017
Logstash Custom Filters and Patterns Logstash	11	6373	August 11, 2017
Migrating Filter/Plugin/Pattern to Logstash 1.5 Logstash	4	2628	July 6, 2017
Matching multiple Grok patterns in a single Logstash config file Logstash	2	3511	May 30, 2017
Use logcheck ignore rules Logstash	6	1829	July 6, 2017

Everchanging Pattern - Logstash

Related topics