Logstash/Grok help

mduckett1 · April 26, 2017, 1:11pm

Hi,

I am trying to pull in some logs using filebeat and having some trouble (mainly because of lack of understanding I think).

The log file has multiple lines like this:

2017-04-09 12:53:10 INFO: InsertedAt=2017-04-09 11:52:34; EventID=XXXX; EventTime=2017-04-09 11:52:33; EventTypeID=X; EventType=XXXXX; Name=; ReportingName=XXXXX; UserName=XXXXX; ActionID=X; Action=XXXX; SubTypeID=; SubType=; DeviceTypeID=x; DeviceType=XXXXX; Model=XXXXX; DeviceID=; ComputerName=XXXXX;

I'd like to extract each item into its own field, so started with a grok filter to get the timestamp and the rest of the message:

["message", "%{DATESTAMP:timestamp} INFO: %{GREEDYDATA:filebeat_message"]

This works on a grok test site, but it is being tagged with _grokparsefailure by logstash.

I'd like to then split the rest of the message into the fields seperated by ;

Hope that makes sense, sorry Im quite new to this and learning as I go!

Thanks,

Mike

magnusbaeck · April 26, 2017, 1:33pm

DATESTAMP won't work but TIMESTAMP_ISO8601 should work. When you've got the grok filter working, feed filebeat_message to a kv filter.

mduckett1 · April 26, 2017, 2:03pm

Thanks Magnus, I had just started looking at kv filter and using this:

kv {
source => "filebeat_message"
value_split => "="
field_split => "; "
}

Seems to split it up as required, the grok filter doesnt seem to work though even changing to TIMESTAMP_ISO8601 I still get a _grokparsefailure.

However Im guessing I should be able to just do this with the kv filter shouldnt i? Once its been through that I can use a date to set the timestamp to EventTIme?

magnusbaeck · April 26, 2017, 2:08pm

I'm quite sure TIMESTAMP_ISO8601 works.
Don't include a space in the field_split value. That value is not a multi-character string but a character class, so if you include a space then spaces will also be field splitters. Use the trim option to remove the extra spaces. Check the kv filter docs for your version of Logstash for the exact option name.
Yes, you should probably use the EventTime value instead, but you'll still want to use grok to extract the key/value pairs form the string. Otherwise the first first is going to be "2017-04-09 12:53:10 INFO: InsertedAt".

mduckett1 · May 3, 2017, 2:32pm

Thanks Magnus, in the end it turned out there was another config file being used that had no if statement on it's filter causing this _grokparsefailure. All seems to be working correctly now.

Topic		Replies	Views
Multiple Grok Filters Logstash	5	1517	July 26, 2017
Cannot parse logs with date filter Logstash	4	908	October 18, 2017
Create pattern in logstash Logstash	16	2406	January 15, 2018
Filter logstash with grok not work Beats filebeat	6	482	January 21, 2021
Not displaying fields specified in the Logstash filter Logstash	11	4764	July 6, 2017

Logstash/Grok help

Related topics