Logstash combining logs from multiple sources

Elastic Stack Logstash
1

Hi,

Scenario: We are trying to scan post execution logs from filebeat and feeding it to logstash to get them in elasticsearch.

Problem: Logstash is combining logs from different location/sources in one document.

Artefacts: PFA the Screenshot, Below is the Json of the document.

Capture
Capture.JPG1176×307 59.3 KB

Json:
{
"_index": "lrlogs-2018.09.10",
"_type": "LR_Post_execution_Logs",
"_id": "AWXDEudNg23FnpmIN_qt",
"_version": 1,
"_score": null,
"_source": {
"offset": [
1859,
842,
1519,
2911,
572,
2686,
3714
],
"input_type": "log",
"source": [
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\Search_Contact_44.log",
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\Maxis_R1_Swap51_ViewbalanceAndServices_9.log",
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\Maxis_R1_OMS_ResumeOrder_5.log",
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\Maxis_R1_OMS_CeaseOrde_5.log",
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\CreateContact_v1_23.log",
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\Provide_Jvuser_Final_v4_18.log",
"\\Sgbnftapp04\nft\R1\SWP51\Results\ELK021193\log\EditProfile_new_6.log"
],
"message": "Start auto log messages stack - Iteration 144.\t[MsgId: MMSG-10545]\nAction2.c(376): Warning -26628: HTTP Status-Code=403 (Forbidden) for "http://10.218.15.243/rp-server/commerce/customer/50077978/product?salesChannel=MC&lo=en_US&productId=1000050540" [issued at Action2.c(385)] \t[MsgId: MWAR-26628]\nNotify: Transaction "R1_OMS_ResumeOrder_01_Click_On_Search_Assign_Product" started.\t[MsgId: MMSG-16999]\nNotify: Transaction "R1_OMS_CeaseOrder_09_Search_By_OrderID" started.\t[MsgId: MMSG-16999]\nAction4.c(150): lr_think_time: 1.00 seconds (recorded think time was 2.00 seconds).\t[MsgId: MMSG-15947]\nNotify: Transaction "Maxis_R1_OMS_ProvideOrder_13_SubmitOrder" ended with a "Pass" status (Duration: 0.3779).\t[MsgId: MMSG-16873]\nAction1.c(104): Warning -26612: HTTP Status-Code=500 (Internal Server Error) for "http://10.218.15.243/rp-server/care/customer/50124792?salesChannel=MC&lo=en_US&preOrderEligibility=true" \t[MsgId: MWAR-26612]",
"type": "log",
"tags": [
"beats_input_codec_plain_applied",
"multiline"
],
"@timestamp": "2018-09-10T10:41:56.721Z",
"@version": "1",
"beat": {
"name": "SGBNFTAPP07",
"hostname": "SGBNFTAPP07",
"version": "5.6.3"
},
"host": "SGBNFTAPP07",
"fields": {
"log_type": [
"LR_PostExecutionLogs_CRM_Search_Contact",
"LR_PostExecutionLogs_Digital_ViewbalanceAndServices",
"LR_PostExecutionLogs_OMS_ResumeOrder",
"LR_PostExecutionLogs_OMS_CeaseOrder",
"LR_PostExecutionLogs_RM_GUI_CreateContact",
"LR_PostExecutionLogs_OMS_Provide_Order_GUI",
"LR_PostExecutionLogs_Digital_EditProfile"
]
}
},
"fields": {
"@timestamp": [
1536576116721
]
},
"sort": [
1536576116721
]
}

2

What do your Logstash and Filebeat configurations look like?

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.