Hello,
I want to put my java app logs into elasticsearch.
Filebeat sends logs to logstash reads the log file. I checked my grok filter at http://grokdebug.herokuapp.com/ and looks OK. But in elastic search there is only message field.
How can add other fields?
Thanks in advance.
Sample log line:
INFO 2016-04-17 16:32:03.805 REST ID-28033d4aa1b9-45637-1524041105852-2-1 905497479867 121212 ABC aaa
My logstash configuration and document in es.
input {
beats {
port => 5044
}
}
filter {
if [type] == "log" {
grok {
match => { "message" => "%{LOGLEVEL:level}\s+%{TIMESTAMP_ISO8601:sent_time}\s+%{NOTSPACE:frontend}\s+%{NOTSPACE:trx_id}\s+%{NOTSPACE:msisdn}\s+%{NOTSPACE:shortCode}\s+%{NOTSPACE:msgBody}\s+%{NOTSPACE:productId}" }
}
}
}
output {
elasticsearch {
codec => "json"
hosts => ["localhost:9200"]
index => "sms_index"
}
}
{
"_index" : "sms_index",
"_type" : "doc",
"_id" : "jyn12mIBa-TikyX2irr5",
"_score" : 1.0,
"_source" : {
"message" : "INFO 2016-04-17 16:32:03.805 REST ID-28033d4aa1b9-45637-1524041105852-2-1 905497479867 121212 ABC aaa",
"source" : "/opt/jboss-fuse-6.3.0.redhat-283/data/log/smsquery.log",
"@timestamp" : "2018-04-18T22:52:26.240Z",
"host" : "sscmdev",
"beat" : {
"version" : "6.2.3",
"name" : "sscmdev",
"hostname" : "sscmdev"
},
"prospector" : {
"type" : "log"
},
"tags" : [
"beats_input_codec_plain_applied"
],
"@version" : "1",
"offset" : 204
}
}