How to filter in filebeat

D_Gupta · February 27, 2020, 3:33pm

Hi,

Below message I'm getting from filebeat (7.0.1). I want to filter it in different line. How we can do it in filebeat.yml file? any help will be appreciable.

t log.flags	multiline

	t message	Audit file /opt/oracle/admin/TESTPP/adump/TESTPP_ora_118015_20200227162922728552143795.aud Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options ORACLE_HOME = /opt/oracle/12.1.0.2 System name: Linux Node name: testhost.mycompany.com Release: 3.10.0-514.6.1.el7.x86_64 Version: #1 SMP Sat Dec 10 11:15:38 EST 2016 Machine: x86_64 Instance name: TESTPP Redo thread mounted by this instance: 1 Oracle process number: 92 Unix process pid: 118015, image: oracle@testhost.mycompany.com (TNS V1-V3)

# offset 0

ChrsMark · February 28, 2020, 9:15am

Hi!

If these logs are not from a service that is supported by the current Filebeat modules then you will need to forward the raw messages to logstash and analyze them there.

Another option in order to achieve this with only Filebeat would be to use processor-script in order to parse and analyze the raw message. Note that this might be not the best option in terms of performance.

C.

system · March 27, 2020, 9:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.