Grok Filter Parsing Logs

paul1243 · December 13, 2018, 4:36pm

Hi-
I have the unstructured logs receiving using the tcp input in Logstash:

"win_cpu,host=Test-Machine-01,instance=UCMS,objectname=Process Percent_User_Time=0,Percent_Privileged_Time=0 1544716850000000000\n",

I would want to use Grok Filter and parse the above data which is coming in the message field and send it to ES as below:

{
hostname: Test-Machine-01,
process_name: UCMS,
Percent_User_Time=0,
Percent_Privileged_Time=0
}

Is it really achievable using Grok Filter ? Please let me know. Thanks !

AquaX · December 16, 2018, 1:13am

For sure it’s possible!
You can use this tool to help you create the pattern:
https://grokdebug.herokuapp.com/

Your output almost looks like an InfluxDB line protocol from Telegraf. You should look into metrics beat to gather the same type of information.

paul1243 · December 16, 2018, 5:19am

@AquaX - Yes, output is from Telegraf, I have used metricbeats windows module to collect perfmon data, but I noticed it returns some unreal values for couple of counters, which I couldn't able to figure it out is something wrong with the beats or from the server end, so was just trying with telegraf to cross-check.

system · January 13, 2019, 5:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.