Extract rows from log using http plugin

mfellah · November 3, 2017, 4:35pm

Hi,

I'm trying to use http plugin to receive log with this format :
2017-10-31-07:29:05 - DEBUG Waiting for callback, for command id : 56232
2017-10-31-07:29:05 - DEBUG Waiting for callback...
2017-10-31-07:29:06 - DEBUG Callback called after 1000

I have this configuration file :

input {
        http {
        } 

    } 

    filter
    {

        split{
            }
        grok {
            match => { "message" => "(?<date>\d{4}-\d{2}-\d{2}-\d{2}:\d{2}:\d{2}) - %{WORD:loglevel} %{GREEDYDATA:description}"}
        }


    }
    output { 
        stdout { 
            codec => rubydebug
            } 
    }

Unfortunately, logstash reads all the log input in one event. (as if it was an one line log file).
How should I configure logstash?
thank you very much by advance

Mohamed

magnusbaeck · November 6, 2017, 6:20am

Works fine for me. Please show an example from your stdout output.

mfellah · November 6, 2017, 9:25am

Thank you for answering

I have this result :

{
           "date" => "2017-10-31-07:29:05",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Waiting for callback, for command id : 562322017-10-31-07:29:05 - DEBUG Waiting for callback...2017-10-31-07:29:06 - DEBUG Callback called after 1000",
        "message" => "2017-10-31-07:29:05 - DEBUG Waiting for callback, for command id : 562322017-10-31-07:29:05 - DEBUG Waiting for callback...2017-10-31-07:29:06 - DEBUG Callback called after 1000"
}

I would like something like :

{
           "date" => "2017-10-31-07:29:05",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Waiting for callback, for command id : 562322",
        "message" => "2017-10-31-07:29:05 - DEBUG Waiting for callback, for command id : 56232"
},

{
           "date" => "2017-10-31-07:29:05",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Waiting for callback, for command id : 562322",
        "message" => "2017-10-31-07:29:05 - DEBUG Waiting for callback..."
},

{
           "date" => "2017-10-31-07:29:06",
        "headers" => {
            "http_accept" => "*/*",
           "content_type" => "application/x-www-form-urlencoded",
           "request_path" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
            "request_uri" => "/twitter/tweet/1",
         "content_length" => "177",
        "http_user_agent" => "curl/7.38.0"
    },
     "@timestamp" => 2017-11-06T09:20:42.873Z,
       "loglevel" => "DEBUG",
       "@version" => "1",
           "host" => "127.0.0.1",
    "description" => "Callback called after 1000",
        "message" => "2017-10-31-07:29:06 - DEBUG Callback called after 1000"
}

thank you

magnusbaeck · November 6, 2017, 10:34am

Okay, weird. I get the expected result with Logstash 2.4.

mfellah · November 6, 2017, 10:55am

I have the 5.6.0 version (result of logstash --version)

I'm using the last version of ELK

mfellah · November 22, 2017, 4:39pm

Any other idea maybe?

system · December 20, 2017, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.