Link lines context in Logstash

Leandro_Sampaio · May 24, 2017, 12:00am

Hi

My post its to explain a parse that I did by myself because didnt exist anyone reference.

I used HashMap reference key value linked using a tag "source" from Filebeat to put a
context transaction on my script and then link lines loaded by many files in concurrence. with didnt have mistake.

If my knoledge in Ruby was better, I could think a simple solution, it's a little complicated to me nubie in Ruby, in my mind was clear,
but its to put in the paper.

Below is part of code

filter {
        grok {
            match => ["message","%{SPACE}(?<method_action>%{WORD})\((?<params_action>%{GREEDYDATA})\)\n%{SPACE}{\n%{GREEDYDATA:message_action}\n  }( time: %{NUMBER:time_action}s, line: %{NUMBER:line_action}\n)?"]
        }
        if "_grokparsefailure" not in [tags] {

        ruby {
            code => "@@timestamp_start[event.get('source')] = Time.at(@@timestamp_start[event.get('source')] + event.get('time_action'));"
        }
        ruby {
            code => "event.set('@timestamp_start', @@timestamp_start[event.get('source')])"
        }
        ruby {
            code => "event.set('version', @@version_start[event.get('source')])"
        }
    } else if [message] =~ "^Version[.:]+ " {
        grok {
            match => ["message", "^Version[.:]+ %{GREEDYDATA:version_start}"]
        }
        ruby {
            init => "@@version_start = {}"
            code => "@@version_start[event.get('source')] = event.get('version_start')"
        }
    } else if [message] =~ "^Date\/time[.:]+ " {
        grok {
            match => ["message", "^Date\/time[: .]+(?<timestamp_start>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}.%{HOUR}:%{MINUTE}:%{SECOND})"]
        }

        date {
            match => [ "timestamp_start" , "YYYY-MM-dd.HH:mm:ss"]
        }

        ruby {
            init => "@@timestamp_start = {};"
            code => "@@timestamp_start[event.get('source')] = event.get('@timestamp')"
        }
    }
}

If somebody has a better solution, I ask to put in comments

Christian_Dahlqvist · May 24, 2017, 8:08am

What does a raw event look like and what is the end result you are looking to achieve?

system · June 21, 2017, 8:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.