Logstash and flexlm log

el_tunisiano38 · September 22, 2015, 9:26am

Hi everyone,

I am newbie at logstash and would like to parse a flexlm log file. The problem is the log is not easy to parse.

(lmgrd) FlexNet Licensing blabla TIMESTAMP 06/12/2015
09:25:48 (MLM) OUT: "MATLAB" USER2@MACH529
10:28:56 (MLM) IN: "MATLAB" USER2@MACH529

what's the best way to concatenate the Date (DD/MM/YYYY) with the time ?

i already used memorized filter, but it didn't let me concatenate these 2 fields.
"checkout_time" => "%{flexlm_ts} 09:25:48"

Thanks in advance for your help, and sorry for my bad english.

PhaedrusTheGreek · September 23, 2015, 3:18pm

Hi @el_tunisiano38, can you post your current logstash filter configuration ?

Thanks

el_tunisiano38 · September 24, 2015, 10:24am

yes of course,

filter {

  if [type] == "flexlm" {

   if [message] =~ /TIMESTAMP/ {
        grok {
                match => [ "message", "%{GREEDYDATA:greedy_data} TIMESTAMP %{DATE:flexlm_ts}" ]
             }
    }

    else if [message] =~ /OUT/ {
        grok {
            match => [ "message", "%{DATA:checkout_time} \(%{DATA:vendor}\) OUT: \"%{DATA:feature_name}\" %{DATA:user_id}@%{DATA:client_machine}" ]
        }
            mutate { replace => ["checkout_time", "%{flexlm_ts} %{checkout_time}"] }
    }
         memorize {
             fields => ['flexlm_ts']
        }
   }
}

PhaedrusTheGreek · September 24, 2015, 1:38pm

Hi @el_tunisiano38,

I found the problem, but I must first point out that logstash-filter-memorize is not an officially supported plugin (although I agree it does seem rather useful!)

When the filter runs, it has 2 jobs - it memorizes fields, and also injects memorized fields into the event. Since filters run in sequence, the memorized field had not yet been injected into the event when you tried to access it. Try this instead:

filter {

   if [message] =~ /TIMESTAMP/ {
        grok {
                match => [ "message", "%{GREEDYDATA:greedy_data} TIMESTAMP %{DATE:flexlm_ts}" ]
        }
    }

    memorize {
        fields => [ "flexlm_ts" ]
    }

    if [message] =~ /OUT/ {
        grok {
         match => [ "message", "%{DATA:checkout_time} \(%{DATA:vendor}\) OUT: \"%{DATA:feature_name}\" %{DATA:user_id}@%{DATA:client_machine}" ]
        }
        mutate { replace => ["checkout_time", "%{flexlm_ts} %{checkout_time}"] }
    }


}

el_tunisiano38 · September 24, 2015, 2:05pm

Hi Phaedrus,

Thanks alot, it works this way. but i tried a third option which does'nt work also except yours). I Placed the memorize in the first if block.

Thanks again.

Topic		Replies	Views
Store temporary variable Logstash	3	649	April 8, 2020
Yet another date parse problem (noob) Logstash	7	702	May 15, 2018
Grok parsing timestamp with 2 fields Logstash	9	763	November 17, 2021
Parse different datetime values into timestamp Logstash	4	604	April 14, 2017
Logstash date extraction help Logstash	3	612	December 26, 2016

Logstash and flexlm log

Related topics