Filebeat and parsing

Hi All,

I have text files in my windows machine ,so i have filebeat in to it to send me the data to logstash,and am receiving the data

my logstash conf look like this

input {
beats {
port => 5143
tags => "files"
}
}

filter {
if [tags] == "files" {
kv {
field_split => " "
value_split => "="
}
}
}

output {
if ( "files" in [tags] ) {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "logstash_files-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}

but still when I see the kibana,fields are not splitted

message looks like this in kibana

q_id="0001" user="xxx" registration_date="xxx" log_ts="00000" transaction_code="xx" terminal_name="" security_center="34" task_id="889" record_type="6" log_type="0" authenticated="0" application="" function="" used_administrative_id="0000000000" security_administrative_id="0000" registration_date_2="4444582" double_log="0" security_organisation="0000" TRANSAKTION="WW XX ZZ"

,but i want to separate fields

like q_id 0001
user xxx
log_ts 0000

Any help would really useful and much appreciated.

Thanks,
Raj

Hi,
Double check the if condition in the filter section. I think it should be if "files" in [tags].

Thank you so much for the reply and it works.Could you please let me know if want to remove " this double quote in the field and value.What has to be done ?

FIELD is equal to DELSA="NR and value is 1235648978"

so I want it as

Field as DELSA=NR and value as 1235648978

Thanks,
Raj

This topic was automatically closed after 21 days. New replies are no longer allowed.