Hello!
I have windows 2012 server, it runs an ELK stack. I am trying to parse using logstash, the index has not yet been created in elastiсsearch, and it does not appear after running the config file.
input {
file {
codec => multiline {
pattern => "^([0-5][0-9]):[0-5][0-9]"
negate => true
what => previous
auto_flush_interval => 10
}
type => "TZH"
path => [ "//server/d$/TJ_logs/TLockErr/rphost*/*.log"]
start_position => "end"
stat_interval => 1
discover_interval => 30
}
}
filter {
grok {
match => {"path" => "(?(?:\w{2}\w{10}))/(?(?:\S{2}))/%{WORD:cat1}/%{WORD:cat2}/rphost_(?(?:\d+))/(?(?:\d+{2}))(?(?:\d+{2}))(?(?:\d+{2}))(?(?:\d+{2}))"}
}
grok {
match => {"message" => "(?(%{MINUTE}:%{SECOND}))-%{INT:duration},%{WORD:type},%{INT:level},%{GREEDYDATA:kv}"}
}
kv {
field_split => ","
value_split => "="
}
mutate {
add_field => ["my_timestamp","%{day}-%{month}-20%{year} %{hour}:%{minsec}"]
}
date {
match => ["my_timestamp", "dd-MM-yy HH:mm:ss.SSSSSS", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => ["my_timestamp","kv","day", "month","year","hour","minsec","kv","cat1","cat2","disk"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "temp_tlockerr"
}
}