How to check the tags values in logstash

Sripal · January 2, 2019, 11:10am

@magnusbeack

Could you please help me to fix this issue.

wolfman · January 2, 2019, 12:21pm

noting the escape \
I don't understand why there are fewer escape characters.I obviously added the escape character \.

stdin { }
}

filter{
if[message] =~ /^\[.*/ {
grok {
match => ["message" ,'%{SYSLOG5424SD:cliip}, %{URIHOST:clientip} %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} \[%{HTTPDATE:logtime}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:responsecode} %{NUMBER:bitstransfer} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:webserver} %{NOTSPACE:id5}']
}
}else{
grok {
match => ["message", '%{URIHOST:clientip} %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} \[%{HTTPDATE:logtime}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}\" %{NUMBER:responsecode} %{NUMBER:bitstransfer} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:webserver} %{NOTSPACE:id5}']
}
}

}

output{
stdout {}
}

Sripal · January 3, 2019, 3:58am

Is this conf is working for you?

wolfman · January 3, 2019, 4:32am

yes,noting the escape character \

Sripal · January 3, 2019, 6:14am

Thanks @wolfman .

Somehow i managed the issue in my way, i am getting grokparsefailure error but logs are structured properly.
out of 35000 log line 32000 logs are structured

Thanks for the help

system · January 31, 2019, 6:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.