Hi,
I have winlogbeat that sends evtx files to logstash and than the output of logstash goes to elastic.
In the windows event logs, there is a field named "message". the problem is that the field type is text, so i cannot use sql wildcard (like '%') on that field.
I am trying to extract, for example the "Error code:" from the long text in the message field.
I tried grok, kv splits filters, nothing worked.
Can anyone help?
I suspect Most of this would be done for you with the pipelines if you just sent winlogbeat directly to elasticsearch .... if configured correctly... and you run setup etc.
I always recommend getting the Beats->Elasticsearch architecture working first before introducing Logastash
Once you get that working then you can move towards
Beats->Logstash->Elastcsearch Ingest Architecture
When you put logstash in the middle some important data is not forwarded unless you use the correctly
Here is a post on similar.. its filebeat but the concept is the same
Hi stephenb,
Thanks for your reply.
I did not find a way to achieve my need with pipelines(I checked the official documents again) . that's why I went with logstash.
Thanks,
Itzik
Fair enough, if you want help with a logstash pipeline perhaps you should post a sample of you logs and your logstash pipeline and perhaps someone can help.
You did look at this
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.