gsuboc
January 24, 2020, 7:32pm
1
I'm trying to extract my logs field using grok but it doesn't work.
Here's my grok filter:
filter { # parse the CSV structure generated from the log file into fields grok { match => {"message" => "%{GREEDYDATA:Job_Name} %{HAPROXYTIME:ElapsedRenderTime} %{NUMBER:FrameCount} %{WORD:FrameList} %{WORD:Render_Type} %{WORD:UserSubmitter} %{HAPROXYTIME:TotalTaskRenderTime} %{HAPROXYTIME:JobAverageFrameRenderTime} %{DATESTAMP:SubmitDate} %{DATESTAMP:CompletedDate} %{WORD:MachineSubmitted} %{NUMBER:JobPriority} %{WORD:Job_ID}" } } }
Here's my logfile:
Job_Name: TESTj
I've also tried %{WORD:Job_Name} but the result is this:
The result is incorrect. This should have been "TESTj" instead of "Job_Name".
Badger
January 25, 2020, 4:00pm
2
I would have grok match that against a list of patterns. If you are using a multiline filter to combine the logfile into a single event you will need 'break_on_match => false'
grok {
match => {
"message" => [
"Job_Name: %{WORD:Job_Name}",
"ElapsedRenderTime: %{HAPROXYTIME:ElapsedRenderTime}",
"FrameCount: %{NUMBER:FrameCount}",
...
]
}
}
I am not convinced that 00:00:27.8370000 matches the HAPROXYTIME pattern.
inhinyera16
January 25, 2020, 6:17pm
3
I would recommend trying kv filter instead of grok.
gsuboc
January 27, 2020, 4:29pm
4
Does "break_on_match" would go under file or filter section? I have used the grok debugger online and HAPROXYTIME is what it showed for ElapsedRenderTime filed.
gsuboc
January 27, 2020, 4:30pm
5
How would I use kv filter? thanks.
gsuboc
January 27, 2020, 5:36pm
7
does it require a pattern directory?
gsuboc
January 27, 2020, 5:50pm
9
filter {
break_on_match => false
grok { match => { "message" => [ "Job_Name: %{WORD:Job_Name}",
"ElapsedRenderTime: %HAPROXYTIME:ElapsedRenderTime}",
"FrameCount: %{NUMBER:FrameCount}",
"FrameList: %{WORD:FrameList}",
"Render_Type: %{WORD:Render_Type}",
"UserSubmitter: %{WORD:UserSubmitter}",
"TotalRenderTime: %{HAPROXYTIME:TotalRenderTime}",
"JobAverageFrameRenderTime: %{HAPROXYTIME:JobAverageFrameRenderTime}",
"SubmitDate: %{TIMESTAMP:SubmitDate}",
"CompletedDate: %{TIMESTAMP:CompletedDate}",
"MachineSubmitted: %{WORD:MachineSubmitted}",
"JobPriority: %{NUMBER:JobPriority}",
"Job_ID: %{WORD:Job_ID}" ] }
}
Here's my grok filter but running the logstash service shows successful but it shutdown. I'm also running filebeat but logstash.yml is disabled.
Badger
January 27, 2020, 6:04pm
10
The break_on_match option has to be inside the grok filter.
gsuboc
January 27, 2020, 6:11pm
11
Here's my complete config:
input {
filter {
}
}
elasticsearch {
hosts => ["D1motion-fs:9200"]
}
}
gsuboc
January 27, 2020, 6:11pm
12
Please let me know if there's any error on this config. I'm still learning this thing.
Badger
January 27, 2020, 6:11pm
13
Do not use backslash in the path option of a file input. Use forward slash.
gsuboc
January 27, 2020, 6:13pm
14
It's a windows platform. I have tried the // but it doesn't grab my files from that location.
gsuboc
January 27, 2020, 6:25pm
15
It's actually this:
path => "\\d1motion-fs\kibana_logs\render_logs\*.txt"
Badger
January 27, 2020, 6:29pm
16
As I said, do not use backslash. Try
path => "/d1motion-fs/kibana_logs/render_logs/*.txt"
gsuboc
January 27, 2020, 6:34pm
17
Changed path to:
I'll run some test and will post the result, thanks.
gsuboc
January 27, 2020, 6:38pm
18
Here's my result:
log.flags multiline
The fields are still under the "message" section, not separated.
Badger
January 27, 2020, 7:11pm
19
What do you get when you use
output { stdout { codec => rubydebug } }
?
