Fields in messages

kayaHL · January 24, 2018, 2:15am

Hi guys, I am new to Elasticsearch... I am using filebeat to ship the multiple line unstructured messages to logstash and use grok filter to structure the data. However, I noticed in the application logs, between messages, some messages have less field/value pair, some messages have more field/value pair, the grok
patterns doesn't work for all messages... so of the messages can't be structured. Could someone help me and give me a right direction for the solution?

Example:

message 1:

04:45:01.633 - R (1,2) msglen:89 New
Timestamp:109660 ItemCode:TEST1 ListingDate:20100102 Expiry:0 Term:

message 2:

04:45:01.633 - R (5,9) msglen:97 DELETE
Timestamp:20988 ItemCode:TEST2 ListingType:CIN ListingDate:20160102 Term: Processingdate: 2017-0108

Many thanks!

dadoonet · January 24, 2018, 8:44am

I believe it's more a #logstash question so I moved your post.

BTW please format your code using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

Please edit your post.

magnusbaeck · January 26, 2018, 7:49am

Use a kv filter to parse lists of key/value pairs, not grok.

kayaHL · January 26, 2018, 5:41pm

Thank you! I will give it a try.

system · February 23, 2018, 5:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Advice to get different unstrctured log data into structured format Logstash	1	205	May 12, 2022
Make Readable message in kibana Logstash	1	242	November 5, 2020
Not displaying fields specified in the Logstash filter Logstash	11	4653	July 6, 2017
How to extract and transform unstructured data into fields Logstash	6	824	August 3, 2017
Logstash/Grok help Logstash	5	429	May 31, 2017

Fields in messages

Related topics