How to use Logstash and ElasticSearch to Index 'transactionID' from 'message' while keeping original 'message' intact

jibitgeorge · June 17, 2020, 4:04pm

I already have ELK setup for my Java application and I'm able to see the logs in Kibana.

I have a field called 'message' in which I have a string called transactionID and a value assoicated with it (eg: transactionID:73782983848748937947). Now I would like to see transactionID as a seperate field in kibana. At the same time I want to see the original message also.

Please see below screenshot.

In this I want transactionID also to be listed just like 'fields.app','fields.container', 'fields.environment' etc. And I want the 'message' to be retained as it is.

Please provide your suggestions about the right approach to achieve this using logstash and ElasticSearch

All my ElasticStack components are 7.6.2 version

Jenni · June 17, 2020, 4:43pm

A grok filter with the pattern \[transactionId=%{NUMBER:transactionId}\] could create that field for you.

jibitgeorge · June 18, 2020, 5:03am

Thanks for the reply @Jenni. let me try that and get back to you.

jibitgeorge · June 24, 2020, 3:27pm

@Jenni The suggestion worked for me. Thanks for your input

system · July 22, 2020, 3:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Search using Message Content Parse with Logstash Logstash	6	978	January 26, 2022
Filter Logs from Firewall Logstash	4	1849	April 22, 2019
Not displaying fields specified in the Logstash filter Logstash	11	4655	July 6, 2017
Add new filter questions Logstash	5	502	November 12, 2019
Grok filter. How do I break up the message information? Logstash	4	1327	January 18, 2018

How to use Logstash and ElasticSearch to Index 'transactionID' from 'message' while keeping original 'message' intact

Related topics