How to index inconstant log delimted with tabs

Elastic Stack Logstash
1

Hi All,

Im doing POC in my company of ELK stack i dont have issue with parsing iis logs for example but one of our apps have really poor inconstant txt log without headers.

Example:

10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	InitFactory client info:exwhh1s2ofneggxlpuvgg1fc|46.248.188.222|Zabbix|https://sr.cinemacity.sk/SalesSK_res/default.aspx?key=SKPolusP_RES
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	WebTixsExtendedTemplateTicketExportCodes: RT3D,CM
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	WebTixsExtendedTemplateWildcardCode: RT3D
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Creating InitData Semaphore Lock...
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Semaphore WSTixsInit Starting Lock wait One...SMWSTixsInit_/SalesSK_res
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Semaphore WSTixsInit Entered
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Semaphore WSTixsInit Releasing...1106-1011-15
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Semaphore WSTixsInit Released 1106-1011-15
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	InitData completed 1106-1011-15
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	InitFactory, TSEC:eCommerce, TSID:5,SeatLockInSeconds:900
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Init Transaction Provider...
10:49:37	exwhh1s2ofneggxlpuvgg1fc	Instancing WSTixsTransactionProvider(SoftwareType=50, Timeout=60000, Username=WebPay, Password=******)...
10:49:37	exwhh1s2ofneggxlpuvgg1fc	Success (Predefined TicketingServiceCode=eCommerce
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Done Init Transaction Provider...
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Assigned soapTixsUrl (Assigned to DataProvider): http://10.72.6.100/wstixs/wstixs.asmx
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Assigned wsTixsUrl (Assigned to TransactionProvider): http://10.72.6.100/wstixs/wstixs.asmx
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Assigned enterpriseWSTixsUrl (Assigned to EnterpriseProvider): http://10.10.50.60/wstixsSK/wstixs.asmx
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Assigned enterpriseSiteId: 1049
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	Done Factory Constructor...
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	SetStartPageQueryString:key=SKPolusP_RES
10:49:37	exwhh1s2ofneggxlpuvgg1fc	SetAutoFillFields
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	InitBookingType:~/BookingType.aspx?dtticks=636414149771132321&key=SKPolusP_RES
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	SetCurrentOrderItem:
10:49:37	exwhh1s2ofneggxlpuvgg1fc	1106	1011	P: BookingType

I would normally split them by tab but as you see the file is inconstant. Could someone please advise ?

2

You should be able to use grok patterns for that.

See https://cinhtau.github.io/2017/06/30/optional-fields-in-grok/

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.