Extract rows from log using http plugin

mfellah · November 3, 2017, 4:35pm

Hi,

I'm trying to use http plugin to receive log with this format :
2017-10-31-07:29:05 - DEBUG Waiting for callback, for command id : 56232
2017-10-31-07:29:05 - DEBUG Waiting for callback...
2017-10-31-07:29:06 - DEBUG Callback called after 1000

I have this configuration file :

input {
        http {
        } 

    } 

    filter
    {

        split{
            }
        grok {
            match => { "message" => "(?<date>\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}) - %{WORD:loglevel} %{GREEDYDATA:description}"}
        }


    }
    output { 
        stdout { 
            codec => rubydebug
            } 
    }

Unfortunately, logstash reads all the log input in one event. (as if it was an one line log file).
How should I configure logstash?
thank you very much by advance

Mohamed

magnusbaeck · November 6, 2017, 6:20am

Works fine for me. Please show an example from your stdout output.

mfellah · November 6, 2017, 9:25am

Thank you for answering

I have this result :

{
           "date" => "2017-10-31-07:29:05",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Waiting for callback, for command id : 562322017-10-31-07:29:05 - DEBUG Waiting for callback...2017-10-31-07:29:06 - DEBUG Callback called after 1000",
        "message" => "2017-10-31-07:29:05 - DEBUG Waiting for callback, for command id : 562322017-10-31-07:29:05 - DEBUG Waiting for callback...2017-10-31-07:29:06 - DEBUG Callback called after 1000"
}

I would like something like :

{
           "date" => "2017-10-31-07:29:05",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Waiting for callback, for command id : 562322",
        "message" => "2017-10-31-07:29:05 - DEBUG Waiting for callback, for command id : 56232"
},

{
           "date" => "2017-10-31-07:29:05",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Waiting for callback, for command id : 562322",
        "message" => "2017-10-31-07:29:05 - DEBUG Waiting for callback..."
},

{
           "date" => "2017-10-31-07:29:06",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Callback called after 1000",
        "message" => "2017-10-31-07:29:06 - DEBUG Callback called after 1000"
}

thank you

magnusbaeck · November 6, 2017, 10:34am

Okay, weird. I get the expected result with Logstash 2.4.

mfellah · November 6, 2017, 10:55am

I have the 5.6.0 version (result of logstash --version)

I'm using the last version of ELK

mfellah · November 22, 2017, 4:39pm

Any other idea maybe?

system · December 20, 2017, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Capture Log for Logstash For every successfull pipeline execution Logstash	7	264	March 28, 2023
How to use grok pattern file in logstash filter Logstash	4	332	July 12, 2018
Grok pattern OK in debugger, but parse failure in logstash Logstash	5	739	March 25, 2020
New to logstash: file input and stdout output not working Logstash	3	8373	July 6, 2017
Running grok against an HTTP source Logstash	2	2705	July 6, 2017

Extract rows from log using http plugin

Related Topics