Hi Badger,
I tried to implement it but getting error. Below is my conf file. Could you please help if I'm doing anything wrong?
input {
file {
path => "/data/log/newadmin.log"
type => "log"
}
}
filter {
grok {
match => { "message" => "%{DATESTAMP:date1}\ %{DATA:LogLevel}\ %{DATA:msg1}\ %{DATA:requestTrackID}\ %{IP:sourceIP}\ %{DATA:tenant}\ %{DATA:thread}\ pnrNo=%{DATA:pnrNo}, pnrBkdDateTime=%{TIMESTAMP_ISO8601:pnrBkdDateTime}, pnrChannel=%{DATA:pnrChannel}, pnrOndOrg=%{DATA:pnrOndOrg}, pnrOndDest=%{DATA:pnrOndDest}, pnrAgent=%{DATA:pnrAgent}, pnrStaff=%{DATA:pnrStaff}, pnrRegion=%{DATA:pnrRegion}, pnrCountry=%{DATA:pnrCountry}, pnrTerritory=%{DATA:pnrTerritory}, pnrCity=%{DATA:pnrCity}, pnrFareBasis=%{DATA:pnrFareBasis}, pnrBaseCurrency=%{DATA:pnrBaseCurrency}, pnrPaxCount=%{NUMBER:pnrPaxCount}, pnrExchangeRate=%{BASE10NUM:pnrExchangeRate}, pnrMasterAgent=%{DATA:pnrMasterAgent}, pnrSelectedCurrency=%{DATA:pnrSelectedCurrency}, pnrPaymentStatus=%{DATA:pnrPaymentStatus}, pnrCurrentStatus=%{DATA:pnrCurrentStatus}, paxTitle=%{DATA:paxTitle}, paxName=%{DATA:paxName}, paxEmailId=%{DATA:paxEmailId}, paxContactNo=%{NUMBER:paxContactNo}, paxDOB=%{DATA:paxDOB}, paxPassportNo=%{DATA:paxPassportNo}, paxLtvId=%{DATA:paxLtvId}, paxTicketNo=%{DATA:paxTicketNo}, paxSeatNo=%{DATA:paxSeatNo}, paxType=%{DATA:paxType}, paxAddress=%{DATA:paxAddress}, paxPassportValidity=%{DATA:paxPassportValidity}, paxNationality=%{DATA:paxNationality}, paxCategory=%{DATA:paxCategory}, paxIpAddress=%{DATA:paxIpAddress}, sectorAircraftType=%{DATA:sectorAircraftType}, sectorFltNo=%{DATA:sectorFltNo}, sectorDepDateTime=%{DATA:sectorDepDateTime}, sectorArrivalDateTime=%{TIMESTAMP_ISO8601:sectorArrivalDateTime}, sectorOrg=%{DATA:sectorOrg}, sectorDest=%{DATA:sectorDest}, sectorCabinClass=%{DATA:sectorCabinClass}, sectorLogicalClass=%{DATA:sectorLogicalClass}, sectorRbd=%{DATA:sectorRbd}, sectorFltStop=%{DATA:sectorFltStop}, sectorFltStopStn=%{DATA:sectorFltStopStn}, sectorSeqNo=%{NUMBER:sectorSeqNo}, sectorBookingStatus=%{DATA:sectorBookingStatus}, sectorDcsStatus=%{DATA:sectorDcsStatus}, sectorInstanceId=%{DATA:sectorInstanceId}, sectorDistance=%{NUMBER:sectorDistance}, pricingTotBasefare=%{BASE10NUM:pricingTotBasefare}, pricingTotSurcharge=%{BASE10NUM:pricingTotSurcharge}, pricingTotTaxes=%{BASE10NUM:pricingTotTaxes}, pricingTotFees=%{BASE10NUM:pricingTotFees}, pricingTotAncillary=%{BASE10NUM:pricingTotAncillary}, pricingTotDiscount=%{BASE10NUM:pricingTotDiscount}, pricingNetCanCharge=%{BASE10NUM:pricingNetCanCharge}, pricingTotModCharge=%{BASE10NUM:pricingTotModCharge}, pricingRefundAmount=%{BASE10NUM:pricingRefundAmount}, pricingExtraServiceFee=%{BASE10NUM:pricingExtraServiceFee}, pricingNetAmount=%{BASE10NUM:pricingNetAmount}, pricingTotMeal=%{BASE10NUM:pricingTotMeal}, pricingTotBaggage=%{BASE10NUM:pricingTotBaggage}, pricingTotSeat=%{BASE10NUM:pricingTotSeat}, pricingTotService=%{BASE10NUM:pricingTotService}, pricingTotVendors=%{BASE10NUM:pricingTotVendors}, pricingTotAdditionalFees=%{BASE10NUM:pricingTotAdditionalFees}, pricingTotGenDiscount=%{BASE10NUM:pricingTotGenDiscount}, pricingTotLtvDiscount=%{BASE10NUM:pricingTotLtvDiscount}, pricinngTotAdditionalFees=%{BASE10NUM:pricinngTotAdditionalFees}, pricingTotDcsMeals=%{BASE10NUM:pricingTotDcsMeals}, pricingTotDcsSeat=%{BASE10NUM:pricingTotDcsSeat}, pricingTotDcsBaggage=%{BASE10NUM:pricingTotDcsBaggage}, pricingTotDcsServices=%{BASE10NUM:pricingTotDcsServices}, dcsPaymentStatus=%{DATA:dcsPaymentStatus}, onDPriceDetails=%{GREEDYDATA:onDPriceDetails}" }
add_tag => ["pnr"]
}
mutate {
kv { source => "[onDPriceDetails]" target => "[child]" field_split => "," }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "adminnew-log-%{+YYYY.MM.dd}"
}
}