How to filter the logs which has the numeric value greater than specific number in particular field?

selvam · May 27, 2015, 7:16am

I am running tomcat service in client. I would like to monitor tomcat access logs and filter the logs which has response time greater than specific number.

e.g : I have the tomcat access log.

192.168.1.10 - - [26/May/2015:21:56:51 -0700] "POST /url HTTP/1.1" 200 50

In the example, it has the response time 50 in the 10th field. i would like to check condition at 10th filed. if the value exceeds the limit(specific number), i need to filter that logs.

Let me, what is the filter(grok or range) will be useful for that and also let me know the syntax.

Thanks in advance.

rafaltrojniak · May 27, 2015, 6:20pm

Hello,

That was quite easy, and grok filters for tomcat/apache logs are easy to find on google.

Here is full example of what you did, with mathing events with time above 10. I had used 'mutate' and 'add_tag' to show that.

The rules:

github.com

rafaltrojniak/logstash_rules/blob/selvam/rules/selvam.conf

filter {
	if [format] == "selvam" {
		grok {
			match => [ "message",
			"%{IP:client_ip} - - \[%{HTTPDATE:http_timestamp}\] \"%{DATA:request}\" %{NUMBER:response:int} %{NUMBER:response_time:int}" ]
		}
		date {
			match => [ 
				"[http_timestamp]", 
				"dd/MMM/YYYY:HH:mm:ss Z"
			]
		}
    if [response_time] > 10 {
      mutate {
        add_tag => [ "matched_above_10" ]
      }
    }
	}
}

The documentation and examples :

github.com

rafaltrojniak/logstash_rules/blob/selvam/doc.md

Formats
-------

### Common Log Format-like logs

#### Event metadaa

#### Fields :
* `http_timestamp`
  * Description : HTTP Timestamp
  * type: string
  * example values:
    * `"26/May/2015:21:56:51 -0700"`
* `request`
  * Description : HTTP Request first line
  * type: string
  * example values:
    * `"POST /url HTTP/1.1"`
* `client_ip`
  * Description : IP Address of the client

This file has been truncated. show original

selvam · May 28, 2015, 9:11am

Hello,
It matches all logs which means it sends all the logs to elasticsearch server and adds tag "matched_above_10" if the response_time greater than 10.

Instead of that, it will send response_time greater than 10 logs only to elasticsearch server(i.e It would drop other logs) and will add tag "matched_above_10".

selvam · May 28, 2015, 11:31am

I used simple regex to grab greater than 50 response value logs and removed "_grokparsefailure" tags. Now i got the expected results.

filter {
if [type] == "tomcat_response" {
grok {
match => { "message" => "%{IP} - - [%{HTTPDATE}] "%{DATA}" %{NUMBER} ([6-9]\d|\d{3,})" }
add_tag => "slowresponse"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}

Thanks for your assist.

magnusbaeck · May 28, 2015, 6:13pm

I used simple regex to grab greater than 50 response value logs and removed "_grokparsefailure" tags. Now i got the expected results.

Yes, but that's not a very nice way of doing it. Given a proper grok expression that extracts the fields in the log (which you should have anyway) you can just do this:

filter {
  if [type] == "tomcat_response" and [response_time] > 50 {
    mutate {
      add_tag => "slowresponse"
    }
  } else {
    drop { }
  }
}

selvam · May 29, 2015, 4:39am

I had idea to try else condition today. But you got it. The new syntax makes sense.
It is perfect.

Thanks.