Hi, I was wondering if it's Kibana's feature or Elasticsearch's. I see Kibana displaying one message but in two files like this:
Can it be turned off and how?
I really tried to figure it out myself but couldn't.
Thanx in advance.
This is most likely a Logstash question. How is the file field populated?
All logs are sent to logstash by logstash-forwarder, like this:
"files": [
{
"paths": [
"/vipprduser1/vip/crm/crmapp1/JEE/CRMProduct/logs/CRMDomain/CRMServer*/clfylog_CRMServer*.log"
],
"fields": { "type": "crmclfylog" }
}
then I parse it in logstash like this:
filter {
if [type] == "crmclfylog" or [type] == "bapclfylog" or [type] == "igclfylog" {
multiline {
pattern => "^\d{4}:\d{2}:\d{2}"
negate => true
what => "previous"
}
grok {
pattern => ["JSession=%{NUMBER:JSession:int}"]
}
grok {
match => ["file","%{GREEDYDATA}/clfylog_%{GREEDYDATA:WLNode}utf8[0-9]{4}_[0-9]{4,5}.log"]
}
So file field was already there, I then just started using it to extract Node name from it.
So guys? Anyone knows smth about this strange aggregation and how to turn it off?