How to split the log data message ( log4j )

venkat-accel · June 17, 2016, 8:37am

Hi,

I have log4j data , i created config file and able to load the data in kibana but all the log data , each line is loaded as single filed called
"message ".

But i want to split each filed in the message as separately for further analysis.
Please let me know how to achieve this.

mentioned config file as below

input {
file {
type => "log4j"
path => "C:\WEBLog_1.log"
start_position => beginning
ignore_older => 0
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
}

warkolm · June 18, 2016, 1:32am

It'd be helpful if you provided the data that you want to match as well.

venkat-accel · June 18, 2016, 7:58am

Please find the sample line of log file

2013/03/07 00:35:15 HTTP 192.168.xx.xxx - - - Allowed - 302 go.abc.com 126 0 160 - text/html databasematch ITsample\IT ITsample\IT - - http://go.abc.com/fwlink/?linkid=45332&abcdd HTTP/1.1 GET -

magnusbaeck · June 21, 2016, 5:46am

The COMBINEDAPACHELOG pattern won't work for this log since it's in another format. I don't recognize it so you probably have to write your own grok expression to parse it. It's similar to COMBINEDAPACHELOG though so you should be able to reuse parts of it.