Log4j in integration with logstash

pavana · July 12, 2016, 4:20pm

Is it possible to configure the data in message field in logged data. For example , I want to give data in message field while logging, whose logfield is INFO as shown below.

2016-06-16 INFO [main] (ElkSampleApp.java:20) - Airtel,500060,1000,$500

The above one is the log that is generated. Now when this is parsed to kibana it splits all the fields as shown below.

message: Airtel,500060,1000,$500 @version:1 @timestamp:July 12th 2016, 21:08:53.987 timestamp:1468337933955 path:ElkSampleApp priority:DEBUG logger_name:ElkSampleApp thread:main class:? file:?:? method:? application:playground host:127.0.0.1:59524 type:log4j _id:AVXfwtGVXesdkliHqf6S _type:log4j _index:logstash-2016.07.12 _score:

My message field has 4 sub-fields. "Airtel" representing "servicename", "500060" representing "pincode","1000" representing "number_of_users" and "$500" representing "profit". But these fields do not appear in kibana. Because the data in message field was not split. It takes the whole message as it is. Is there any chance to split or configure the data present in message field? If yes, then how can i do it?

magnusbaeck · July 12, 2016, 7:49pm

You can e.g. use the csv filter to split the message field.

pavana · July 13, 2016, 10:18am

Thank you so much. I am very new to elk. This was very helpful.

pavana · July 13, 2016, 10:55am

Also can you please help me with kibana. How should i search for data which has both Airtel as service name and $5000 as profit. If i am typing "Airtel"&"$5000" i am getting all the data that has Airtel or $5000 but i want data which has Airtel AND $5000 (i.e intersection of both fields).

magnusbaeck · July 13, 2016, 1:39pm

Please start a new thread in the Kibana category for your Kibana question.