i have sent logs from filebeat to logstash with different tags to treat them with different ways so this is the format of a line of one of my log files so i don't know how to analyze it .
17-02-2020 03:08:20TO -> | Brand : TT | Channel : sms | user_id : 14567 | DirNum : 96708790 | identity ( idType : 1 idNumber : G2CH136G ) | country : lybie | Msisdn : 92091418 | IMSI : 892160208015358468 Status : 1 Out Code : Error while activating the sim .
So can anyone helps me to know how to put condition in the field status to only show the lines how met an error (who have a status different to 0) and finally to save to an index elasticsearch only timestamp , Msisdn and the error message
i'll be very thankful if one will help me to face this issue
I would try something like
dissect { mapping => { "message" => "%{[@metadata][ts]}T%{}" } }
date { match => [ "[@metadata][ts]", "ISO8601" ] }
grok {
break_on_match => false
match => {
"message" => [
"Status : %{NUMBER:status} ",
"Msisdn : %{NUMBER:msisdn} ",
"Code : %{DATA:errorMessage}"
]
}
}
if [status] == "0" { drop {} }
1 Like
thank you very much for your reply it helps me a lot to know how to deal with this problem but i don't understand how you identify fields to focus only on values in this pairs and to deal with this separator |
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.