I am getting 3 types of messages in logstash, based on that i need to parse and save in elasticSearch with 3 different index
Message 1 => "2021-05-26T09:55:36.091040+00:00 10.13.14.11 [S=294230650] [ID=fbf282:30:11158988] !!! Repeated 38332 times"
Message 2 => "2021-06-10T09:57:02.237521+00:00 10.13.14.11 [S=21473] |START |ABC |1aa9d286a960501696a33c107b71f21b"
Message 3 => "2021-05-26T10:51:04.139725+00:00 10.10.15.11 [2021-05-26 10:56:05,308] 4066 0002 com.sonus.sbc.sip INFO (TransportLayer.cpp:1073) - DataReadCB: Received "
I tried as below but not working
input {
beats {
port => 5044
}
}
filter {
if "[S=" in [message] and "[ID=" in [message]{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{IP:IP}%{SPACE}\[%{DATA:SeqNo}\]%{SPACE}\[%{DATA:ID}\]%{SPACE}%{GREEDYDATA:message}" }
add_field => {
"msgType" => "message1"
}
}
}
else if "[S=" in [message]{
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{IP:IP}%{SPACE}\[%{DATA:SeqNo}\]%{SPACE}%{GREEDYDATA:message}" }
add_field => {
"msgType" => "message2"
}
}
} else {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{IP:IP}%{SPACE}\[%{DATA:anotherDate}\]%{SPACE}%{GREEDYDATA:messageBody}" }
add_field => {
"msgType" => "message3"
}
}
}
}
output {
if [msgType] == "message1" {
elasticsearch {
hosts => "10.133.11.23:9200"
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
index => "message1-%{+YYYY.MM.dd}"
}
}
else if [msgType] == "message2" {
elasticsearch {
hosts => "10.133.11.23:9200"
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
index => "message2-%{+YYYY.MM.dd}"
}
}
else if [msgType] == "message3" {
elasticsearch {
hosts => "10.133.11.23:9200"
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
index => "message3-%{+YYYY.MM.dd}"
}
}
else {
elasticsearch {
hosts => "10.133.11.23:9200"
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
index => "default-%{+YYYY.MM.dd}"
}
}
}