Logstash dublicate message

baha1 · July 3, 2017, 3:41pm

Hi there,
this is my pepiline.conf:

input {
        file {
        path => "c:/logstash.log"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        codec => multiline {
        pattern => "^%{TIME}"
        negate => true
        what => previous
   }}}
filter {
grok{
	  match => { "message" => "%{TIME:date} %{LOGLEVEL:level} %{GREEDYDATA:message}" }
    add_tag => [ "groked" ]
    remove_tag => ["_grokparsefailure"]
}}
output {
if	"ERROR" in [level]
{
elasticsearch {
  hosts=>"localhost:9200"
  index => "errors"
  document_type => "error"
  } }
stdout { codec => rubydebug }
}

I get this result in elasticsearch:

message: [
"16:54:46,234 ERROR [stderr] (ServerService Thread Pool -- 42) at org.slf4j.impl.StaticLoggerBinder.<clinit>(StaticLoggerBinder.java:55)",
"[stderr] (ServerService Thread Pool -- 42) at org.slf4j.impl.StaticLoggerBinder.<clinit>(StaticLoggerBinder.java:55)"
]

As you see the message error is dublicated.So,how can i keep juste the seconde message.
Thank you for your helps.

jsvd · July 3, 2017, 6:15pm

in the grok plugin you can use the overwrite option

grok{
  match => { "message" => "%{TIME:date} %{LOGLEVEL:level} %{GREEDYDATA:message}" }
  add_tag => [ "groked" ]
  remove_tag => ["_grokparsefailure"]
  overwrite => ["message"]
}

baha1 · July 4, 2017, 9:08am

Thank you so much @jsvd.its works fine.

system · August 1, 2017, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.