Logstash Data Filter

Bheeshma · February 17, 2018, 4:31pm

Hi,

I have application log file with user log in and logout details , number of users logged in to the application and the status of the application in the below format recorded in App.log file.

[Tue Oct 17 12:15:01 2017]Local/App0///14296/Info(1051187)

Logging in user [admin@Native Directory] from [::ffff:10.77.2.1

I tried filter the data using below statement, it is never showing anything onto Kibana... Can you please guide how to filter if the logs recorded in the above format

input {
file {
path => "/var/lib/logstash/APP.LOG"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{TIMESTAMP:dd MM YY HH:MM:SS} %{WORD:message}" }
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

Thanks
Bheeshma

magnusbaeck · February 18, 2018, 2:28pm

You've misunderstood how the grok filter works. You have also conflated it with the date filter. Try using the grok constructor web site to get help building your grok expression.

system · March 18, 2018, 2:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.