How to add logstash gork filter and field

zoram · November 1, 2016, 3:37pm

I'm using Filebeat -> Logstash -> Elasticsearch -> Kibana to have an overview of my glassfish log file.

My log message look like this.

[#|2016-11-   01T11:29:33.347+0100|INFO|glassfish3.1.2|com.MachineProxy|_ThreadID=226;_ThreadName=Thread-2;|proxy started|#]

I'm using Filebeat -> Logstash -> Elasticsearch -> Kibana to have an overview of my glassfish log file.

My log message look like this.

[#|2016-11-01T11:29:33.347+0100|INFO|glassfish3.1.2|com.MachineProxy|_ThreadID=226;_ThreadName=Thread-2;|proxy started|#]

My current pattern look like this. I have tested with http://grokdebug.herokuapp.com/

(?m)\[\#\|%{TIMESTAMP_ISO8601:timestamp}\|%{LOGLEVEL}\|%{DATA:server_version}\|%{JAVACLASS}\|%{DATA:thread}\|%{DATA:message_detail}\|\#\]

I want to have a fields in Kibana for "DateTime", "Log Level", "Server version", "Java Class Name", "Thread" and "Message detail"

Many thanks in advance.

Thomas

magnusbaeck · November 8, 2016, 4:45pm

I want to have a fields in Kibana for "DateTime",

Use the date filter to parse the timestamp field you're extracting from the log entry. That'll populate the @timestamp field that you can use in Kibana.

"Log Level", "Server version", "Java Class Name", "Thread" and "Message detail"

What you have almost works. Just make sure you extract the fields you're interested in in your grok expression instead of just matching the strings, i.e. use %{LOGLEVEL:Log Level} instead of %{LOGLEVEL}.

zoram · November 8, 2016, 1:37pm

Hi @magnusbaeck

Thanks.

I have another problems with my filebeat.yml

when I start my "sudo ./filebeat -e -c filebeat-logstash.yml -d "publish", I always got the following error.

anb041:filebeat-1.3.1 mmlug$ sudo ./filebeat -e -c filebeat-logstash.yml -d "publish"
2016/11/08 13:36:28.292774 geolite.go:24: INFO GeoIP disabled: No paths were set under output.geoip.paths
2016/11/08 13:36:28.294921 publish.go:269: INFO No outputs are defined. Please define one under the output     section.
Error Initialising publisher: No outputs are defined. Please define one under the output section.
2016/11/08 13:36:28.294943 beat.go:161: CRIT No outputs are defined. Please define one under the output section.

My filebeat configuration look like here.

http://pastie.org/10958177

Many Thanks in advance.

Thomas

magnusbaeck · November 8, 2016, 4:45pm

You have so much commented out noise in your config file that you're not seeing that you've commented the

  output:

line so the subsequent

    logstash:

line ends up in the wrong configuration section.

Please post any follow-up questions about Filebeat in the Filebeat category.

zoram · November 8, 2016, 1:42pm

Thanks.!!! Yes, I just found it too

system · July 6, 2017, 4:30am