How obtain only a part of the log?

Lucas_Fernandez · January 28, 2019, 7:46pm

Hello! I only want know, how to get only a part of log string.
My input is from filebeat and my output is elasticseach base.

I have this logstash.conf

input {
beats {
port => 5044
}
}

filter {
grok {
match => {
"message" => "%{{.*}$:contrato}"
}
add_field => { "contrato" => "%{contrato}" }
}
}

output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "logstash"
}
stdout {
codec => json
}
}

and this is my log string

DEBUG [2019-01-25 18:18:35,973] db679d09-66d1-4556-90d0-6174dc4b90ce a.c.e.s.j.c.JudicialidadService [dw-21 - GET /siniestros?expedientes=254472] {contrato:12345}

i want add a field named: contrato_field and the value of contrato_field = 12345

how i have to do it??

thank everyone!

Badger · January 28, 2019, 8:25pm

grok { match => { "message" => [ "{contrato:%{INT:contrato_field:int}}" ] } }

Lucas_Fernandez · January 29, 2019, 1:36pm

Its work, thank you very much!

system · February 26, 2019, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.