I'm trying to parse a log file into elasticsearch through logstash.
I want to send the following log as single event(i.e. as a single document) into elasticsearch.
######################################################
ETL Wrapper Initializing - 09/27/2018 06:33:57
######################################################
------------------------------------------------------
Wrapper Information - 09/27/2018 06:33:57
------------------------------------------------------
------------------------------------------------------
Reading Component Log Port Files - 09/27/2018 06:34:53
------------------------------------------------------
-- > -- > Found 3 files and only merge non-zero byte files
------------------------------------------------------
Renaming Reject Files - 09/27/2018 06:34:56
------------------------------------------------------
######################################################
Sending Notifications - 09/27/2018 06:34:56
######################################################
------------------------------------------------------
Setting Exit Status - 09/27/2018 06:34:56
------------------------------------------------------
######################################################
ETL Wrapper Finalizing - 09/27/2018 06:34:56
######################################################
------------------------------------------------------
Here is my logstash configuration:
input {
file {
path => "D:/logs/file.log"
start_position => "beginning"
}
}
filter{
grok {
match => {"message" => "ETL Wrapper Initializing - %{DATESTAMP:JobStartTime}"}
match => {"message" => "ETL Wrapper Finalizing - %{DATESTAMP:JobEndTime}"}
}
if "_grokparsefailure" in [tags]{
drop{}
}
if [message] =~ /^$/ {
drop { }
}
mutate{
remove_field => ["@version","host","message" ]
}
}
output {
elasticsearch {
hosts => "http://localhost:9200/"
index => "success_index"
}
stdout { codec => rubydebug }
}
Output of above configuration:
{
"JobStartTime" => "09/27/2018 09:33:41",
"@timestamp" => 2018-12-05T10:55:44.698Z,
"path" => "D:/logs/file.log"
}
{
"JobEndTime" => "09/27/2018 09:34:16",
"@timestamp" => 2018-12-05T10:55:44.784Z,
"path" => "D:/logs/file.log"
}
My expected output:
{
"JobStartTime" => "09/27/2018 09:33:41",
"@timestamp" => 2018-12-05T10:55:44.698Z,
"path" => "D:/logs/file.log"
"JobEndTime" => "09/27/2018 09:34:16"
}
How can I merge "JobStartTime" and "JobEndTime" into single document?
Any help is appreciable..
-Vinod
Michel99_7
December 6, 2018, 9:44am
2
Hello vinodanumarla,
Hello Michel99_7
I have tried with Aggregate Filter. Below is my filter,
aggregate {
Below is the output:
{@timestamp " => 2018-12-06T09:32:33.412Z,
Able to combine two docs as above. But, can we do it without creating lists like above i.e without separate mappings.
{@timestamp " => 2018-12-05T10:55:44.698Z,
Thanks!
DyraSan
December 6, 2018, 11:43am
4
I'm trying to parse a log file into elasticsearch through logstash.
I want to send the following log as single event(i.e. as a single document) into elasticsearch.
Here is my log file looks like:
######################################################
Wrapper Information - 09/27/2018 06:33:57
Reading Component Log Port Files - 09/27/2018 06:34:53
-- > -- > Found 3 files and only merge non-zero byte files
Renaming Reject Files - 09/27/2018 06:34:56
######################################################
Setting Exit Status - 09/27/2018 06:34:56
######################################################
Here is my logstash configuration:
input {@version ","host","message" ]http://localhost:9200/ "Output of above configuration:
{@timestamp " => 2018-12-05T10:55:44.698Z,@timestamp " => 2018-12-05T10:55:44.784Z,My expected output:
{@timestamp " => 2018-12-05T10:55:44.698Z,
Any help is appreciable.. Thanks in advance!
Thanks,kissanime
Michel99_7
December 6, 2018, 12:42pm
5
Hi Vino,
You can also use a multiline command in the input section:
input {#sincedb_path => "/dev/null"
filter {
output {
system
January 3, 2019, 12:52pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.