Hi,
I have winlogbeat that sends evtx files to logstash and than the output of logstash goes to elastic.
In the windows event logs, there is a field named "message". the problem is that the field type is text, so i cannot use sql wildcard (like '%') on that field.
I am trying to extract, for example the "Error code:" from the long text in the message field.
I tried grok, kv splits filters, nothing worked.
Can anyone help?
I suspect Most of this would be done for you with the pipelines if you just sent winlogbeat directly to elasticsearch .... if configured correctly... and you run setup etc.
I always recommend getting the Beats->Elasticsearch architecture working first before introducing Logastash
Once you get that working then you can move towards
Beats->Logstash->Elastcsearch Ingest Architecture
When you put logstash in the middle some important data is not forwarded unless you use the correctly
Here is a post on similar.. its filebeat but the concept is the same
Hi stephenb,
Thanks for your reply.
I did not find a way to achieve my need with pipelines(I checked the official documents again) . that's why I went with logstash.
Thanks,
Itzik
Fair enough, if you want help with a logstash pipeline perhaps you should post a sample of you logs and your logstash pipeline and perhaps someone can help.
You did look at this