How to split message field for IIS log.. In debugger it is splitting but when i run config file it is not splitting, so not able to use in Kibana Grpahs

Sample logs
<

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2017-04-18 00:00:00 AAAAAA COMPUTER10001 10.10.25.10 POST /AA/AA - 80 - 10.20.30.251 HTTP/1.1 Mozilla/5.0+(iPad;+CPU+OS+10_3_1+like+Mac+OS+X)+AppleWebKit/603.1.30+(KHTML,+like+Gecko)+Version/10.0+Mobile/14E304+Safari/602.1 https://aa.aa.com/AA/Term.aspx aa.aa.com 200 0 0 372 2454 15

/>
<

input{	
file
{	path => "/tmp/u_ex170418_new_1.log"
	start_position =>"beginning"
	sincedb_path => "NUL"
}
}
filter{
if[prospector][type]=="iis"
{	grok{
	match => [ "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:s-sitename} %{NOTSPACE:s-computername} %{NOTSPACE:s-ip} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs-vertion} %{NOTSPACE:cs-useragent} %{NOTSPACE:cs-Referer} %{NOTSPACE:cs-host} %{NUMBER:sc-status:int} %{NUMBER:sc-substatus:int} %{NUMBER:sc-win32-status:int} %{NUMBER:sc-bytes:int} %{NUMBER:cs-bytes:int} %{NUMBER:time-taken:int}"]
	add_tag =>"success"
    remove_field => [ "message"]		
}
if "success" not in [tags] {
							drop { }
}date {
		match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
		timezone => "Etc/UTC"
	}
}
split {
		field => "[message]"
    #	add_field =>{
    #	"s-computername" => "%{[s-computername]}"
}
mutate {
	remove_field => [ "log_timestamp"]				
	#remove_field => [ "message"]				
		}
  }output
  {	elasticsearch
{	hosts => ["localhost:9200"]
	index => ["aa_iis_1"]
	document_type => "iis"
}stdout{}     }

/>

Kibana_Debugger.JPG1363×719 79.1 KB

I Have got the solution. commented type declaration and it works.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.