Log parsing using Logstash 2.1

Hi,

I have the following log:-
11/24/2016 06:56:22 - Process(6416.3) User(f_wmq_prod) Program(amqzmur0.exe)
Host(ST-W4005) Installation(WMQ75)
VRMF(7.5.0.1) QMgr(P0401)

AMQ6287: WebSphere MQ V7.5.0.1 (p750-001-130308).

EXPLANATION:
WebSphere MQ system information:
Host Info :- Windows Server 2008 R2 Server Enterprise Edition, Build
7601: SP1 (MQ Windows 32-bit)
Installation :- C:\IBM\WMQ (WMQ75)
Version :- 7.5.0.1 (p750-001-130308)
ACTION:
None.
-----amqrmrsa.c : 898--------------------------------------------------------------------------
11/26/2016 12:29:45 - Process(7556.38805) User(f_wmq_prod) Program(amqrmppa.exe)
Host(ST-W4005) Installation(WMQ75)
VRMF(7.5.0.1) QMgr(P0401)

AMQ9999: Channel 'ENDUR.P0401' to host 'st-w4235 (143.97.5.30)' ended
abnormally.

EXPLANATION:
The channel program running under process ID 7556(11048) for channel
'ENDUR.P0401' ended abnormally. The host name is 'st-w4235 (143.97.5.30)'; in
some cases the host name cannot be determined and so is shown as '????'.
ACTION:
Look at previous error messages for the channel program in the error logs to
determine the cause of the failure. Note that this message can be excluded
completely or suppressed by tuning the "ExcludeMessage" or "SuppressMessage"
attributes under the "QMErrorLog" stanza in qm.ini. Further information can be
found in the System Administration Guide.
----- amqrmrsa.c : 898 --------------------------------------------------------

This is my config file:-
input{
file{
type => "logs"
path => [ "D:/chirag/Logfileanalysismonitoring/AMQERR01.LOG" ]
codec => multiline {
negate => true
pattern => "(^%{INT}/%{MONTHDAY}/%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND})"
what => "previous"
}
}
}
filter{
if [type] == "logs" {
grok{
patterns_dir => "./patterns"
match=>["message","%{AMQERR01_TIMESTAMP:timestamp} - %{NOTSPACE:process}%{SPACE}%{NOTSPACE:user}%{SPACE}%{NOTSPACE:program}%{SPACE}%{NOTSPACE:host}%{SPACE}%{NOTSPACE:installation}%{SPACE}%{NOTSPACE:vrmf}%{SPACE}%{NOTSPACE:qmgr}%{SPACE}%{GREEDYDATA:info}"]
}
date{
match => ["timestamp","MM/dd/yyyy HH:mm:ss"]
}
}
}
output{
stdout { codec=>rubydebug }
elasticsearch{
hosts=>"10.76.170.72:9200"
index=>"amqerr01_2"
}
}

I am able to contain the log starting from AMQ till end in field info
So, field info contains:-
11/24/2016 06:56:22 - Process(6416.3) User(f_wmq_prod) Program(amqzmur0.exe)
Host(ST-W4005) Installation(WMQ75)
VRMF(7.5.0.1) QMgr(P0401)

AMQ6287: WebSphere MQ V7.5.0.1 (p750-001-130308).

EXPLANATION:
WebSphere MQ system information:
Host Info :- Windows Server 2008 R2 Server Enterprise Edition, Build
7601: SP1 (MQ Windows 32-bit)
Installation :- C:\IBM\WMQ (WMQ75)
Version :- 7.5.0.1 (p750-001-130308)
ACTION:
None.
-----amqrmrsa.c : 898--------------------------------------------------------------------------
I want to further extract AMQ line, EXPLANATION and ACTION from info field.
Looking at my logs, the pattern that separates AMQ line from EXPLANATION is .\r\n\r\n and EXPLANATION from ACTION is .\r\n
I was thinking to first get AMQ line extracted from info field by using pattern .\r\n\r\n, then EXPLANATION using pattern .\r\n
I tried using mutate split:-
mutate{
split => { "info"=>".\r\n\r\n" }
}
But it is not helping.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.