Log stash filter for Nagios service-performdata

Elastic Stack Logstash
1

Hi,

My Nagios service-perfdata is in below format and I am using filebeat to ship this log to Logstash.

DATATYPE::SERVICEPERFDATA TIMET::1519123537 HOSTNAME::DXCSRVMON11014 SERVICEDESC::Zombie Processes SERVICEPERFDATA::procs=0;5;10;0; SERVICECHECKCOMMAND::check_nrpe!check_zombie_procs HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD

Now, how do I automatically get fields for the rest of this log ? Is there a simple way to say : The thing before the "::" is the field name and the thing after is the value.

So I can obtain a JSON for elastic index with many fields for each log line :

{

    "HOSTNAME" => "localhost",
    "SERVICEDESC" => "Zombie Processes",
    "SERVICEPERFDATA" => "procs=0;5;10;0"
    "HOSTSTATE" => "UP",
   "SERVICESTATE" => "OK",
    etc,... 
}

Thanks for your help in advance

2

Use a kv filter.

3

Thank you very much. I've managed to get the fields in the format I needed. However is there anyway I can still parse this field after creating it?

Currentely my key value field for SERVICEPERFDATA is as below.

"SERVICEPERFDATA" => "procs=0;5;10;0"

But I would like out put as below.

"SERVICEPERFDATA" => 0

i.e. procs=0; 5; 10;0 neeed to be parsed so I can only get the actual value of procs which is 0 in this case.

Thanks for your help.

Here is my filter.

filter {
kv {
value_split => "::"
field_split => "\t"
trim_value => ":"
}
}

4

You can process the SERVICEPERFDATA field with any filter. If you just want to remove everything from the first semicolon and onwards you can use a mutate filter's gsub option.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.