Help me writing grook filter pattern for my log to injest into elasticsearch

Elastic Stack Logstash
1

These are few sample log lines

74128 2021-01-25T23:28:42.753582Z - xyz svn/repos get-latest-rev

74128 2021-01-25T23:28:43.030543Z - xyz svn/repos reparent /sm/branches/6.0r

74128 2021-01-25T23:28:43.307469Z - xyz svn/repos stat /sm/branches/6.0r@267554

74128 2021-01-25T23:28:43.591372Z - xyz svn/repos get-dir /sm/branches/6.0r r267554 text

74132 2021-01-25T23:28:57.008969Z - xyz svn/repos open 2 cap=(edit-pipeline svndiff1 absent-entries depth mergeinfo log-revprops) /sm/branches/6.0r SVN/1.9.5%20(amd64-portbld-freebsd8.4) -

2

Hi @abhishek_s1
You can use this documentation to try do it:

https://streamsets.com/documentation/datacollector/latest/help/datacollector/UserGuide/Apx-GrokPatterns/GrokPatterns_title.html

Try to do it yourself, if you fail, write the pattern that you got and what result you expect.

3

Hi @nugusbayevkk .

Thanks for replying & providing appropriate documentation. I got the pattern & it works !!

4

Glad to hear that :+1:

1 Like
5

HI i've been having issues ingesting a pcap file into elastixsearch 7.11. I've first converted my pcap file to json by using the " tshark -r packet.pcap -T ek > packets.json" command. i then create a index template . but when i try to injest the packets into elasticsearch using curl -s -H "Content-Type: application/x-ndjson" -XPOST "localhost:9200/_bulk" --data-binary "@packets.json"

i get the following error: "status":400,"error":{"type":"mapper_parsing_exception","reason":"failed to parse field [layers.frame.frame_frame_offset_shift] of type [date] in document with id "

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.