Filter - grok, date and kv example

siddhardhan · August 15, 2018, 2:21am

I am newbie to logstash and trying to ship logs using logstash agent to splunk server. But having trouble shipping the logs. Need help / guidance.

Below is my log format:

2018.07.12.12:34:31:232 GID=xxx FID=asdf STRT=12121322
2018.07.15.14:34:31:232 GID=yyy FID=fdsa STRT=12421121

and my logstash conf is as given below:

input {
file {
path => "/logs/app.log"
start_position => beginning
}

filter {
grok {
match => { "message" => "%{SYSLOGPROG:logdata}%{SPACE}%{GREEDYDATA:msg} }
}
date {
match => ["logdata", "YYYY.MM.dd.HH:mm:ss:SSS"]
target => "logdata"
}
kv {
source => msg
trim => "="
target => "kv"
}
}

output {
tcp {
host => "splunkhost.net"
port => "18604"
}

NerdSec · August 15, 2018, 4:44am

Hi Sid,

First of all, please format your post (code blocks) so that it is easier to read and troubleshoot.
Secondly, if you could provide clarity about what is the issue that you are facing it would allow us to help you easily.
Lastly the config that you have already in place looks good enough and is able to parse the data. One suggestion I would make is that there is no need to assign the match of %{SYSLOGPROG} to logdata. You will only add a redundant field called logdata as by default %{SYSLOGPROG} will add a field called program.

Krunal_kalaria · August 15, 2018, 4:44am

Hey @siddhardhan,

Can you show me that error log you are getting while sending the logs.

Thanks & Regards,
Krunal.

Topic		Replies	Views
Create pattern in logstash Logstash	16	2410	January 15, 2018
GROK filter with KV Logstash	1	225	February 12, 2021
Logstash/Grok help Logstash	5	485	May 31, 2017
KV filter not splitting log Logstash	1	273	October 1, 2020
Logstash KV filter not working on Greedydata Logstash	4	57	April 4, 2025

Filter - grok, date and kv example

Related topics