Grok filter by source

Hi All,

Sorry i'm new on ELK, currently i'm use ELK 6.8.10, it's working properly, with filter by tags,
this is my grok.

filter {
   if "nameservice-out-staging" in [tags] {
    grok {
      match => { "message" => "%{WORD:type}\]\[METHOD\]%{WORD:method}\[URL\]%{URIPATHPARAM:url}\[STATUS\]%{NUMBER:respone}\[RESPONSE_TIME\]%{NUMBER:response_time}" }
      remove_field => [ "message","@version","beat","offset","prospector","log","fields" ]
    }
    mutate {
      convert =>  {
          "resspone" => "integer"
          "response_time" => "float"
      }
    }
}
}

output {
  if "nameservice-out-staging" in [tags] {
  elasticsearch { hosts => ["ES-HOST:9200"]
    hosts => "ES-HOST:9200"
    manage_template => false
    index => "nameservice-stage-%{+YYYY.MM.dd}"
  }
}
}

it's working, but i want to change nameservice-out-staging to by source like
if [source] =~ /\/var\/log\/.pm2\/logs\/nameservice-out.log\// { this is not working,

if [source] =~ /\/var\/log\/.pm2\/logs\/nameservice-out.log\// { what is wrong in this regex ?

Thanks

Does your filename really have a trailing / ?

Hi,

Thanks for your reply,
/var/log/.pm2/logs/nameservice-out.log
/var/log/.pm2/logs/nameservice-error.log
it's real path log and file log.,
any idea ?

Thanks

Try this

if [source] =~ /\/var\/log\/.pm2\/logs\/nameservice-out.log/ { 

Or even more simple and you can do what ever the name of the file:

in input

input {
file {
  path => "/var/log/.pm2/logs/nameservice-out.log"
  type => "log"
  tags => ["serviceout"]
  id => "serviceout"
 }

file {
  path => "/var/log/.pm2/logs/nameservice-error.log"
  type => "log"
  tags => ["serviceerror"]
  id => "serviceerror"
 }
}

filter {
    if "serviceout" in [tags] {
    .
    .
   }
  
  if "serviceerror" in [tags] {
  .
  .
  }
}

output {
 .
 .
 .
}

Regards,
Fadjar340

Hi All,

Thanks for your reply, case solve,

Thank's a lot

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.