How to filter Errors only from logs? using logstash

naga_kunchala · July 25, 2018, 12:26pm

Hi, I am using logstash in our project, How to filter debug and info log from logs ? and saved separate file?

i am using below configuration:

input {
file {
path => "/home/kunchala/TESTING/mywork/trap_testing/consul.log"
start_position => "beginning"
}
}
filter {

    grok{
  match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{LOGLEVEL:LEVEL} %{GREEDYDATA:whateverElseYoureFiltering}" }
    }

}
output {
if [level] == "DEBUG" {
file{
path => "/home/kunchala/TESTING/mywork/trap_testing/DEBUG.log"
}
}
else if [level] == "INFO" {
file{
path => "/home/kunchala/TESTING/mywork/trap_testing/INFO.log"
}
}

 else {
     file{
        path  => "/home/kunchala/TESTING/mywork/trap_testing/MO.log"
       }
      }
 stdout {    codec =>     rubydebug }
}

Badger · July 25, 2018, 12:32pm

And what is the problem you have with the result of that?

naga_kunchala · July 25, 2018, 12:37pm

my concern is all debug information i want to save in DEBUG.log and all info log information need to be save in INFO.log file. but that one is not happening. all the debug , info ,etc logging information stored in MO.log file . could you please help me on this anything i did wrong

Badger · July 25, 2018, 12:41pm

Please provide an example log line.

naga_kunchala · July 25, 2018, 12:50pm

{"message":"2018-07-25_16:57:48.39018 consul 2018/07/25 11:57:48 [DEBUG] agent: Service 'consul' in sync\n","@version":"1","crs":"consul","mms":" 2018/07/25 11:57:48 [DEBUG] agent: Service 'consul' in sync\n","host":"205.26.198.10","ts":"2018-07-25_16:57:48.39018","@timestamp":"2018-07-25T16:57:48.389Z"}

Badger · July 25, 2018, 12:58pm

Is that what a line of the log file looks like? If so, it is not even close to matching your grok filter. It has a timestamp that I would not expect to match %{SYSLOGTIMESTAMP} followed by a hostname and a second timestamp.

Build your grok filter one field at a time and make sure the first part matches before adding additional fields.

And for that format dissect is probably better than grok.

naga_kunchala · July 25, 2018, 1:00pm

i am new to logstash, can you please send me the filter for that.

system · August 22, 2018, 1:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.