Hello, everyone.
I have a problem with running grok and dissect filtering at once. My config:
grok {
match => { 'message' => '\[%{TIMESTAMP_ISO8601:time_stamp}\] \[%{DATA:correlation_id}\] \[%{LOGLEVEL:log_level}\] \[%{DATA:source}\] \[%{DATA:uri_domain}\] \[%{DATA:someParameter1}\] \[%{DATA:someParameter2}\] %{GREEDYDATA:message}' }
}
dissect {
mapping => {
'message' => '[%{time_stamp}] [%{correlation_id}] [%{log_level}] [%{source}] [%{uri_domain}] [%{someParameter1}] [%{someParameter2}] %{message}'
}
}
mutate {
add_field => { "[log_type]" => "services" }
}
date {
match => ["time_stamp", "ISO8601"]
target => "@timestamp"
remove_field => [ "time_stamp" ]
}
And message i try to filter/dissect is:
"message": "[2020-03-28T13:40:46.487] [0HLUIAK4FP7PP:00000001] [Info] [Microsoft.AspNetCore.Hosting.Diagnostics] [http://7c2d2ef3d838/health] [Consul Health Check] [] Request finished in 1.7305ms 200 application/json ",
And after issect I had a strange result in Elastic:
{
"_index": "someindex",
"_type": "_doc",
"_id": "Fh9DN3EB-H6bOdc5ghAi",
"_version": 1,
"_score": null,
"_source": {
"someParameter1": "Consul Health Check",
"container": {
"image": {
"name": "nexus.sibintek.ru:80/mes/sibintekmesdatacollectorhost:latest"
},
"id": "7a8252d247af509bd46e522b18c072145e433b5c5a06d53aa7a42b191349892d",
"labels": {
"com_docker_compose_service": "datacollector",
"com_docker_compose_version": "1.25.4",
"com_docker_compose_oneoff": "False",
"com_docker_compose_config-hash": "edd50eece59244be62e51b03bcef017df9e00984f672f529a5c20be3e1883714",
"com_docker_compose_project": "docker",
"com_docker_compose_project_config_files": "Docker\\docker-compose.yml",
"com_docker_compose_container-number": "1"
},
"name": "docker_datacollector_1"
},
"someParameter2": "",
"ecs": {
"version": "1.4.0"
},
"host": {
"name": "bfdb0c038083"
},
"log_level": "Info",
"log_type": "services",
"tags": [
"beats_input_codec_plain_applied",
"_dateparsefailure"
],
"uri_domain": "http://7a8252d247af/health",
"input": {
"type": "container"
},
"agent": {
"ephemeral_id": "3f600c48-cfca-4aa5-a4f4-a3b2d9bd3576",
"version": "7.6.1",
"id": "ba03f4a2-9bf2-4f91-9a54-46cf4a9cf351",
"hostname": "bfdb0c038083",
"type": "filebeat"
},
"@timestamp": "2020-04-01T19:41:42.593Z",
"@version": "1",
"time_stamp": "\"[2020-04-01T22:41:42.593",
"log": {
"offset": 80400,
"file": {
"path": "/var/lib/docker/containers/7a8252d247af509bd46e522b18c072145e433b5c5a06d53aa7a42b191349892d/7a8252d247af509bd46e522b18c072145e433b5c5a06d53aa7a42b191349892d-json.log"
}
},
"stream": "stdout",
"correlation_id": "0HLUMEHK3AE8C:00000001",
"source": "Microsoft.AspNetCore.Hosting.Diagnostics",
"message": "Request finished in 1.7305ms 200 application/json \", \"Request finished in 1.7305ms 200 application/json \"]"
},
"fields": {
"@timestamp": [
"2020-04-01T19:41:42.593Z"
]
},
"sort": [
1585770102593
]
}
Seems like it transform a message into array with original message and then dissect only first one. I fond it out when try use wrong mapping configuration for dissect:
[2020-04-01T19:47:24,447][WARN ][org.logstash.dissect.Dissector][main] Dissector mapping, pattern not found {"field"=>"message", "pattern"=>"\\[%{time_stamp}] [%{correlation_id}] [%{log_level}] [%{source}] [%{uri_domain}] [%{someParameter1}] [%{someParameter2}] %{message}", "event"=>{"message"=>["[2020-04-01T22:47:19.846] [de385773-167a-4fcf-970f-51719e48ece8] [Info] [Microsoft.AspNetCore.Hosting.Diagnostics] [http://datacollector/api/datacollector/Tag] [] [] Request finished in 11.4625ms 200 application/json; charset=utf-8 ", "Request finished in 11.4625ms 200 application/json; charset=utf-8 "], "stream"=>"stdout", "@timestamp"=>2020-04-01T19:47:19.847Z, "container"=>{"image"=>{"name"=>"somedomain:80/datacollectorhost:latest"}, "name"=>"docker_datacollector_1", "labels"=>{"com_docker_compose_project"=>"docker", "com_docker_compose_version"=>"1.25.4", "com_docker_compose_container-number"=>"1", "com_docker_compose_project_config_files"=>"Docker\\docker-compose.yml", "com_docker_compose_service"=>"datacollector", "com_docker_compose_oneoff"=>"False", "com_docker_compose_project_working_dir"=>"C:\\somedir\\Docker", "com_docker_compose_config-hash"=>"edd50eece59244be62e51b03bcef017df9e00984f672f529a5c20be3e1883714"}, "id"=>"7a8252d247af509bd46e522b18c072145e433b5c5a06d53aa7a42b191349892d"}, "agent"=>{"ephemeral_id"=>"3f600c48-cfca-4aa5-a4f4-a3b2d9bd3576", "hostname"=>"bfdb0c038083", "version"=>"7.6.1", "type"=>"filebeat", "id"=>"ba03f4a2-9bf2-4f91-9a54-46cf4a9cf351"}, "time_stamp"=>"2020-04-01T22:47:19.846", "input"=>{"type"=>"container"}, "@version"=>"1", "log_level"=>"Info", "correlation_id"=>"de385773-167a-4fcf-970f-51719e48ece8", "tags"=>["beats_input_codec_plain_applied", "_dissectfailure"], "host"=>{"name"=>"bfdb0c038083"}, "log"=>{"file"=>{"path"=>"/var/lib/docker/containers/7a8252d247af509bd46e522b18c072145e433b5c5a06d53aa7a42b191349892d/7a8252d247af509bd46e522b18c072145e433b5c5a06d53aa7a42b191349892d-json.log"}, "offset"=>285381}, "uri_domain"=>"http://datacollector/api/datacollector/Tag", "source"=>"Microsoft.AspNetCore.Hosting.Diagnostics", "ecs"=>{"version"=>"1.4.0"}}}
I tried use only grok or dissect, by failed by some reasons.
Can anyone help me find what wrong with my configuration, please?