Grok an Elasticsearch problem

mesutalf · December 27, 2020, 8:18am

Hi, I use ELK (7.2.x) my localhost and I have problem.
I have log file like this;
2020-11-30 05:52:33,018 [9344] INFO Zdk.ServiceProvider.ServiceThread [] - Thread [Core[8047e7a3-c403-4fe4-ab87-9bea0c0ab449]:0]: idle check on every 15000ms
and l have logstash conf;

input {
   file {
        path => "/opt/log/ICU/*"
        start_position => "beginning"
        sincedb_path => "/dev/null"
   }
}

filter {
    grok {
        match => {"message" => "%{GREEDYDATA:logdate} \[%{INT:deger}\] %{LOGLEVEL:loglevel}  %{GREEDYDATA:svctpye} \[\] - %{GREEDYDATA:message}.*"
        }
        add_field => { "tip" => "icu" }
    }
    date {
      match => ["logdate", "YYYY-MM-DD HH:mm:ss,SSS", "YYYY/MM/DD HH:mm:ss,SSS", "ISO8601"]
      remove_field => [ "timestamp" ]
    }
}

output {
   elasticsearch {
        hosts => ["localhost:9200"]
        index => "icu"
   }
}

When i start logstash i only see
_grokparsefailure
value on kibana. Some of records may not match my grok pattern. But i only see this record. Where are the success match records?
Thanks.

aaron-nimocks · December 27, 2020, 2:14pm

Check for 2 spaces after %{LOGLEVEL:loglevel}. Should be only 1.

After removing it worked and I show the below as the output which I think is what you want.

system · January 24, 2021, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.