Logstash - Add fields from the log fields property - Grok

AleGallagher · December 28, 2016, 12:59am

I'm learning logstash and I'm using Kibana to see the logs. I would like to know if is there anyway to add fields using data from message property.

For example, the log is like this:

port:46,722 host:172.18.0.5 message:{"@timestamp":"2016-12-28T00:34:53.198+00:00","@version":1,"message":"Entrada de datos incompletos","logger_name":"com.empresa.miAlquiler.controllers.UserController","thread_name":"http-nio-7777-exec-2","level":"INFO","level_value":20000,"HOSTNAME":"8fe48aff9ca8","spring.application.name":"visit-service","X-Span-Export":"false","X-B3-SpanId":"1cccc5c7252100c4","X-B3-TraceId":"1cccc5c7252100c4"} tags:_grokparsefailure

message, is a field. I want to get spring.application.name from message and convert it as a field, to filter the logs with it with Kibana.

How can I do that?

My Logstash conf file, looks like:

filter {
grok {
match => {
"message" =>
"^%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:level}\s+%{NUMBER:pid}\s+---\s+[\s*%{USERNAME:thread}\s*]\s+%{JAVAFILE:logger_name}\s*:\s*%{DATA:themessage}(?:\n+(?(?:.|\r|\n)+))?$"
}
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
}
mutate {
remove_field => ["@version"]

add_field => {"service_name" => "%{spring.application.name}"}

}
}

Thanks!

magnusbaeck · December 31, 2016, 1:17pm

Do not parse JSON strings with grok filters. Either change your input's codec to json or json_lines or use a json filter to parse the message field.

AleGallagher · January 3, 2017, 1:03pm

It works! Thank you very much!

system · January 31, 2017, 1:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.