LogStash - Add properties in the logback and send them to Logstash


(ALe) #1

I'm using Logback and Logstash in a SpringBoot application.

In the logback.xml I have a property with the name of the service, and is like:

configuration>
include resource="org/springframework/boot/logging/logback/defaults.xml" />

include resource="org/springframework/boot/logging/logback/console-appender.xml" />

property name="spring.application.name" value="service" scope="context"/>

appender name="stash" class="net.logstash.logback.appender.LogstashTcpSocketAppender">
destination>localhost:9600
encoder class="net.logstash.logback.encoder.LogstashEncoder"/>
/appender>

root level="INFO">
appender-ref ref="CONSOLE" />
appender-ref ref="stash" />

/configuration>

The Logstash conf file is like:

input{ tcp{
port=> 9600
host=>logstash
}
}

filter {
grok {
match => {
"message" =>
"^%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:level}\s+%{NUMBER:pid}\s+---\s+[\s*%{USERNAME:thread}\s*]\s+%{JAVAFILE:class}\s*:\s*%{DATA:themessage}(?:\n+(?(?:.|\r|\n)+))?$"
}
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
}
mutate {
remove_field => ["@version"]

}
}
output{

elasticsearch {
hosts => ["elasticsearch"]
index => "indice"
}
stdout{}
}

The log is the following:

28T00:34:53.198+00:00","@version":1,"message":"Entrada de datos incompletos","logger_name":"com.empresa.miAlquiler.controllers.UserController","thread_name":"http-nio-7777-exec-2","level":"INFO","level_value":20000,"HOSTNAME":"8fe48aff9ca8","spring.application.name":"visit-service","X-Span-Export":"false","X-B3-SpanId":"1cccc5c7252100c4","X-B3-TraceId":"1cccc5c7252100c4"} tags:_grokparsefailure

But, the problem is that The property appears in the log, but whitin "message" field. I want to have the property as field (out of message), to filter the logs with Kibana

Is there anyway to do that?


(Magnus B├Ąck) #2

I've responded to this question in your other thread. Please don't post the same question multiple times.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.