Logstash grok matching entire filebeat message instead of message inside

elasticheart · November 4, 2016, 5:41am

I have setup Filebeat -> Kafka -> Logstash -> Elasticseatch system.

I have filebeat output like;

{"@timestamp":"2016-11-04T05:16:16.108Z","beat":{"hostname":"localhost","name":"localhost","version":"5.0.0"},"fields":{"logtype":"logfile"},"input_type":"log","message":"\u003cOct 31, 2016 6:37:40:678 AM\u003e \u003cdataa\u003e \u003cdatab\u003e \u003cdatac\u003e \u003datad\u003e \u003cdatae\u003e \u003cdataf\u003e \u003cgatag\u003e\n \u003cdatah\u003e","offset":273,"source":"/logfiles/logfile.log","type":"logfile"}

I have setup logstash grok to match this message like;

grok {
	match => { "message" => "%{GREEDYDATA:messageDataA}" }
}

But it is pushing entire beat data like @timestamp, hostname, etc (the whole filebeat output line I have mentioned above) to messageDataA field. But I want to push only the message part inside filebeat message to be pushed. How can I do this? I am using 5.0 GA of Filebeat and Logstash.

magnusbaeck · November 4, 2016, 5:53am

It sounds like you're missing a codec => json setting in your kafka input. Please show your configuration and the output of a stdout { codec => rubydebug } output.

Using grok to copy data from one field to another is inefficient and unnecessary. Use a mutate filter to rename the field instead (or copy the field value with add_field if you really want to keep both fields).

elasticheart · November 4, 2016, 5:59am

codec => json solved the issue. Thanks a lot

Topic		Replies	Views
Logstash Adding Filebeat Fields Logstash	6	452	October 29, 2018
Grok parse failure in Logstash Logstash	2	1317	March 10, 2017
Filebeat -> logstash, wrapping message and extra fields problems! Logstash	7	2088	May 16, 2017
Parsing filebeat -> kafka -> logstash Logstash	2	3730	June 30, 2017
Edit filebeat mappings Beats filebeat	7	2017	July 5, 2017

Logstash grok matching entire filebeat message instead of message inside

Related topics