How work Logstash with Filebeat

Jose_Luis_Sanchez_Bo · September 5, 2018, 9:28am

Hi everyone,

I have a ELK Server, and i use Filebeat for input. Example:

2018-06-30 20:18:32,137 Authenticate a=1234
2018-06-30 20:18:32,137 Values b=4 c=5

Procedure in logstash:

The first "Authenticate" traces, process and I save in ElasticSearch with the value a = 1234.
The second "Values" trace, look for the first trace "Authenticate" and I get the value of a = 1234, then process and save in ElasticSearch with b = 4, c = 5 and a = 1234.

If Filebeat sends these two traces to Logstash at the same time, when the trace "Values" searches the first trace "Authenticate", this is not yet in ElasticSerach so it does not find the value of "a".

Is there any way to do this that I tell?
I need your help
Thanks.

Jose_Luis_Sanchez_Bo · September 5, 2018, 10:33am

elasticsearch{
hosts => ["localhost:9200"]
index => "sam_values"
query => "thread:%{thread} AND epoc:%{epoc} AND type_msg:sam_analize"
fields => { "uid" => "uid_sam" }
}

When i run logstash, the uid is not found. I think is because logstash take to much time to add the first event in elasticsearch and when it is trying to filter the second log event, it can't find nothing because the first log event is not yet saved in elasticsearch.

How can i solve this?

Jose_Luis_Sanchez_Bo · September 5, 2018, 10:54am

Please, someone could help me?

system · October 3, 2018, 10:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.