Index a file line by line in logstash

Ashish_Ranjan · June 28, 2019, 12:47pm

I am using logstash to ingest multiple application logs into elasticsearch. I have setup the filter to ingest logs which are working fine.

For one application I need to index the log file line by line, without any mapping/filtering, can someone tell me how I can do that from logstash filter. I cannot seem to find any filter that would do it.

zebu14 · June 28, 2019, 1:10pm

Hello,

First I suppose that you can filter your logstash processing rules between your different applications.

If so, i would use only your input and an output rule (without any filtering/mapping) like i do on one of my servers:

input {       #adapt your input to your needs

        beats {
        port => "8754"
        }
}

filter { #comment this line
}        #this line too

output {
        if [logtype] == "log_prd" {
                                        file {
                                        path => "/opt/dir/log_prd_%{+yyyy_MM_dd}.log"
                                        codec => line { format => "%{message}"}
                                        }
        }
        else if [logtype] == "log_dev" {
                                        file {
                                        path => "/opt/dir/log_dev_%{+yyyy_MM_dd}.log"
                                        codec => line { format => "%{message}"}
                                        }
        }
}

On my side, I am filtering the output on a field added on filebeat side ("logtype"), but you can just use your own separation method

Ashish_Ranjan · July 1, 2019, 5:23am

Hi,

Thanks for the reply, I understand what your are saying, although I have already applied a filter in my logstash filter section which works based on condition, since I do need to filter the logs coming from my other applications.

My output section is common which only connects to the elasticsearch api, please see my config file below:

input {
  beats {
     port => 5044
     }
}

filter {
  if [app] == "pythoncron" {
  grok {
      match => { "message" => "%{DATA:data}" }
    }
  }
  else {
  dissect {
    mapping => {
        message => "%{timestamp}|%{application}|%{module}|%{traceid}|%{severity}|%{info}"
      }
    }
  }
}

output {
   elasticsearch {
     manage_template => false
     hosts => "http://localhost:9200"
     index => "%{[env]}-%{[app]}"
  }
stdout { codec => "dots" }
}

As you can see, I have tried to ingest logs from application "pythoncron" line by line without any filter, and I have attempted this by putting some sort of generic filter (message" => "%{DATA:data} ) which does not seem to be working correctly.

So not sure if I can implement your suggestion above in my "output" section based on the conditions. Or may be I do not understand your suggestion completely

system · July 29, 2019, 5:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple log in input, how to filter one by one? Logstash	4	392	May 14, 2019
Multiple index in elasticsearch from filebeat Beats filebeat	4	3207	August 4, 2017
Logstash Plugins Logstash	5	491	September 25, 2021
Conditional output from filbeat documents logstash to elasticsearch Logstash	3	725	June 4, 2019
Parse the same input in two different ways Logstash	3	373	October 8, 2018

Index a file line by line in logstash

Related topics