I am using elk stack for a month now. Lately, I have come across a situation where I need some help from the community to save me some time. I am actually running filebeat and elk stack in docker. I am sending logs from filebeat to logstash. The issue is my log is a custom log file and I want to create tags out of the data inside log file. Here is a line from my log file.
The first line above shows the tags that I want to create and second line is just an example how my log file is logging everything to the file.
What I have seen so far is that we can use processors to filter out data coming from the log file using add_field. But the issue is I have not come across a better solution where it says that if the log file has a word like "m00001" tag it as a machine id and for other words too.
What I can see now in kibana is that it is logging everything as a single message. like i see log.message = all the data from the second line.
I want to do the processing thing on filebeat only and want to use those tags in logstash to create index pattern. Or maybe I am not sure if I can create index pattern inside filebeat
# filestream is an input for collecting log messages from files.
- type: filestream
# Unique ID among all inputs, an ID is required.
id: my-filestream-id
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /Users/sbrown/workspace/sample-data/discuss/filebeat-dissect.log
#- c:\programdata\elasticsearch\logs\*
processors:
- dissect:
tokenizer: "%{date} %{time} %{tag_name} %{tag_machine_name} %{site_id} %{parking_lot_id} %{log_level} %{message}"
field: "message"
target_prefix: "dissect"
@stephenb thanks for your valueable reply and sorry for the late response. One last small detail I would love to know. What if I have multiple log files and I want to create tags out of each message. Can I use the single processor for that purpose or Do I need different processors for each log file. Furthermore, thanks to you I can see that it has created tags as per your answer provided above. How can I create an index based on the output coming from filebeat. e.g I want to create an index out of machinename in logstash as I will have multiple machines sending logs to my logstash so having an index based on machine name will hugely benefit me.
Also when I try to filter them out in kibana. It does not highlights the field I putted in the search field. Usually with when we filter out anything it highlights incase of disect tags it is not hightlighting. Any thoughts on this?
Hi @Raja_Muneer you should really open separate threads for these questions I will give a quick response here:
If they have different log patterns you will probably need to use different inputs each with the appropriate dissect pattern.
What version are you on?
Apologies do you want to create an index name in filebeat or logstash the sentence above says both but let's assume logstash
In logstash the output would be some this like this
An index per machine is typically an anti-pattern, if you have many machines you will have many indices which "look" nice to your eyes but can be very inefficient... typically the pattern is to send to a common index and filter on the Kibana Side. It is unclear what the huge benefit is, this is just a suggestion.
If you only have a few machines then fine, if you have a lot / many machines...not so fine.
When you filter out the docs are filtered out so there is no highlighting ... if you mean filter in.. then please provide a the Version you are on and a screen shot.
Thank you so much @stephenb. You have no doubt cleared my understanding of these questions. About the filter part I am sorry I cannot provide a screenshot at the moment but what I meant by that was the highlighting. i.e for instance when we receive logs from a beat we can see them on kibana suppose I am interested in watching messages from a log. So when I query using tags like a log.message="Warn" and when I click the update button it highlights all those messages in yellow. but as we created dissect tags when I filter them using a tag like dissect.machine_name="m00001" it doesn't highlights them in yellow. BTW I am on version 8.6.0
I really appreciate your patience and thanks for helping me out.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.