I am running tomcat service in client. I would like to monitor tomcat access logs and filter the logs which has response time greater than specific number.
In the example, it has the response time 50 in the 10th field. i would like to check condition at 10th filed. if the value exceeds the limit(specific number), i need to filter that logs.
Let me, what is the filter(grok or range) will be useful for that and also let me know the syntax.
Hello,
It matches all logs which means it sends all the logs to elasticsearch server and adds tag "matched_above_10" if the response_time greater than 10.
Instead of that, it will send response_time greater than 10 logs only to elasticsearch server(i.e It would drop other logs) and will add tag "matched_above_10".
I used simple regex to grab greater than 50 response value logs and removed "_grokparsefailure" tags. Now i got the expected results.
Yes, but that's not a very nice way of doing it. Given a proper grok expression that extracts the fields in the log (which you should have anyway) you can just do this:
filter {
if [type] == "tomcat_response" and [response_time] > 50 {
mutate {
add_tag => "slowresponse"
}
} else {
drop { }
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.