Logstash filter seems not working

Pradana · December 15, 2019, 1:35am

Hi,

I hv below configuration with my logststash :

input {
beats {
port => 5044
}
}
filter{
if [fields][sourcelog]=="cdrlog" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logdate:date} %{LOGLEVEL:debugtype} %{DATA:source} %{TIMESTAMP_ISO8601:smsdate:date},%{WORD:sourceaddr},%{NUMBER:addrton},%{NUMBER:addrnpi},%{WOR
D:destaddr},%{NUMBER:sourceton},%{NUMBER:sourcenpi},%{WORD:status},%{WORD:transport},%{WORD:trtype},%{WORD:trsender}" }}

    grok { match => [ "sourceaddr", "^(?<operator>.....)" ] }

    translate {

field => "operator"
destination => "operator_name"
dictionary => [
"62811", "Telkomsel",
"62812", "Telkomsel",
"62813", "Telkomsel",
"62821", "Telkomsel",
"62822", "Telkomsel",
"62823", "Telkomsel",
"62851", "Telkomsel",
"62852", "Telkomsel",
"62853", "Telkomsel",
"62814", "Indosat",
"62815", "Indosat",
"62816", "Indosat",
"62855", "Indosat",
"62856", "Indosat",
"62857", "Indosat",
"62858", "Indosat",
"62817", "XL",
"62818", "XL",
"62819", "XL",
"62859", "XL",
"62877", "XL",
"62878", "XL",
"62831", "XL",
"62832", "XL",
"62833", "XL",
"62838", "XL",
"62895", "Tri",
"62896", "Tri",
"62897", "Tri",
"62898", "Tri",
"62899", "Tri",
"62881", "Smartfren",
"62882", "Smartfren",
"62883", "Smartfren",
"62884", "Smartfren",
"62885", "Smartfren",
"62886", "Smartfren",
"62887", "Smartfren",
"62888", "Smartfren",
"62889", "Smartfren",
"62828", "Net1"
]

     }


    translate {

field => "operator"
destination => "smstype"
dictionary => [
"62811", "Incoming",
"62812", "Incoming",
"62813", "Incoming",
"62821", "Incoming",
"62822", "Incoming",
"62823", "Incoming",
"62851", "Incoming",
"62852", "Incoming",
"62853", "Incoming",
"62814", "Incoming",
"62815", "Incoming",
"62816", "Incoming",
"62855", "Incoming",
"62856", "Incoming",
"62857", "Incoming",
"62858", "Incoming",
"62817", "Incoming",
"62818", "Incoming",
"62819", "Incoming",
"62859", "Incoming",
"62877", "Incoming",
"62878", "Incoming",
"62831", "Incoming",
"62832", "Incoming",
"62833", "Incoming",
"62838", "Incoming",
"62895", "Incoming",
"62896", "Incoming",
"62897", "Incoming",
"62898", "Incoming",
"62899", "Incoming",
"62881", "Incoming",
"62882", "Incoming",
"62883", "Incoming",
"62884", "Incoming",
"62885", "Incoming",
"62886", "Incoming",
"62887", "Incoming",
"62888", "Incoming",
"62889", "Incoming",
"62828", "Outgoing"
]

}


date {
  match => [ "smsdate", "ISO8601" ]
  target => ["@timestamp"]
}

date {
  match => [ "smsdate", "ISO8601" ]
  target => ["smsdate"]
}






    }

}
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

The input is coming from filebeat with the following :

{
  "_index": "filebeat-2019.12.14",
  "_type": "doc",
  "_id": "nlAUA28BDii-OZlyZvGn",
  "_version": 1,
  "_score": null,
  "_source": {
    "log": {
      "file": {
        "path": "/opt/eolos/TelScale-smsc-jboss-7.5.1-95/jboss-5.1.0.GA/server/default/log/cdr.log"
      }
    },
    "source": "/opt/eolos/TelScale-smsc-jboss-7.5.1-95/jboss-5.1.0.GA/server/default/log/cdr.log",
    "offset": 66451087,
    "message": "2019-12-14 06:24:24,440 DEBUG [org.mobicents.smsc.library.CdrGenerator] 2019-12-14 06:24:24.424,6282800082800,1,1,6285769178147 ,1,1,failed,SMPP,message,serdadu,11257533,null,null,null,null,null,null,null,25,0,null,1,6,,,,,\"438482\",\"MAPException when sending SRI from sendSRI(): org.mobicents.protocols.ss7.map.api.MAPException: char should be between 0 - 9  *  #  a  b  c for Telephony Binary Coded Decimal String. Received  \",,,",
    "input": {
      "type": "log"
    },
    "fields": {
      "sourcelog": "cdrlog"
    },
    "@timestamp": "2019-12-14T06:24:24.676Z",
    "tags": [
      "beats_input_codec_plain_applied",
      "_grokparsefailure"
    ],
    "beat": {
      "hostname": "TelScale-3",
      "name": "TelScale-3",
      "version": "6.8.4"
    },
    "@version": "1",
    "prospector": {
      "type": "log"
    },
    "host": {
      "name": "TelScale-3",
      "id": "05cb8c7b39fe0f70e3ce97e5beab809d",
      "architecture": "x86_64",
      "os": {
        "name": "CentOS Linux",
        "version": "7 (Core)",
        "codename": "Core",
        "platform": "centos",
        "family": "redhat"
      },
      "containerized": false
    }
  },
  "fields": {
    "@timestamp": [
      "2019-12-14T06:24:24.676Z"
    ]
  },
  "sort": [
    1576304664676
  ]
}

But it seems above data is not being process by the filter.
I would like to understand where is the issue. Anyone has this kind of problem before ?

Regards

Pradana

VietCong · December 15, 2019, 9:13pm

I would start by looking at logstash logs and elasticsearch logs to see where the problem is. You are likely to be able to find where the problem is with logstash logs

system · January 12, 2020, 9:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash is not parsing the data base on config Logstash	11	388	July 13, 2018
Grok filter isn't working but working in kibana grok debugger Logstash	1	189	May 9, 2023
Logstash filter from Logstash-forwarder Logstash	3	709	July 6, 2017
Grok filter TIMESTAMP_ISO8601 Logstash not working Logstash	3	2641	May 8, 2019
Logstash filter for django logs not working Logstash	2	1266	May 20, 2017

Logstash filter seems not working

Related topics