Extract field from source

The event from filebeat contains the source field which contains the log filename. How do I use grok to extract some data from it?

Just use grok as you normally would, except that you configure it to parse the source field rather than the usual message field.

If you want a concrete example you'll have to tell us what "some data" is.

I get grokparsefailure tags but I don't see any logs in console or in the file.

Show us your config and what an event produced by Logstash looks like. Use a stdout { codec => rubydebug } output.

I see time in 20180101 12:34:56.1234 format. I tried pattern yyyyMMdd HH:mm:ss.SSSS and I am getting dateparsefailure. What pattern can I use?

When the date filter fails it'll log details in the Logstash log.

I'm not getting any error logs. I tried changing log4j properties also. Mine is a Windows installation.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.