Hi All,
Could someone help me to start the log analyze using grok filter for logstash method,
I am just trying to capture the log file from windows machine below path
"C:\Windows\Logs\CBS\CBS.log"
from this line I just want to filter only "successfully" entry
for this scenario how to start the grok pattern,
Thanks,
Nagaraj,
What have you tried doing?
Can you post some example log entries?
It makes it easier if you post some things that you have tried as that shows us that you have tried, it also tells us that we shouldn't recommend something, as you have already tried it.
If you post example log entries then we can actually test the suggestions that we have.
You may try something like this:
if "successfully" in [message] {
grok {
match => { "message" => "%{GREEDYDATA:message}" }
overwrite => ["message"]
}
}
else {
drop {}
}I would change the match line to some processing on the log line, it is doing nothing right now, but I wanted to give you a quick example.
thanks @kharvey
this is the below sample log file
"2019-03-13 13:52:51, Info CBS Ending TrustedInstaller initialization.
2019-03-13 13:52:51, Info CBS Starting the TrustedInstaller main loop.
2019-03-13 13:52:51, Info CBS TrustedInstaller service starts successfully.
2019-03-13 13:52:51, Info CBS No startup processing required, TrustedInstaller service was not set as autostart
2019-03-13 13:52:51, Info CBS Startup processing thread terminated normally
2019-03-13 13:52:51, Info CBS Starting TiWorker initialization.
2019-03-13 13:52:51, Info CBS Ending TiWorker initialization.
2019-03-13 13:52:51, Info CBS Starting the TiWorker main loop.
2019-03-13 13:52:51, Info CBS TiWorker starts successfully."
from that entry I just want to get the line only -->CBS TiWorker starts successfully with timestamp,
filter {
if "successfully" in [message] {
grok {
match => { "message" => "%{GREEDYDATA:message}" }
overwrite => ["message"]
}
}
else {
drop {}
}
}I copied and pasted the solution that I gave you earlier into a filter and used your log data and everything worked. I received 2 messages both with successfully in them. All of the others were dropped.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.