I've used MetricBeat6.1 with Logstash6.1-grok.
This is a grok attempt to identify all the processes and categorize them. These are mainly Identified [java_apps],[unidentified_java_apps] and [general unidentified apps] using the system.process.cmdline from metricbeat.
But its all appearing as getting themselves tagged as 'Unidentified'.
grok {
match => {"system.process.cmdline" => [
"^%{GREEDYDATA:datanode} org.apache.hadoop.hdfs.server.datanode.DataNode$",
"^%{GREEDYDATA:ambari_server} org.apache.ambari.server.controller.AmbariServer$",
"^%{GREEDYDATA:unidentified_java}/bin/java%{GREEDYDATA}$",
"^%{GREEDYDATA:unidentified}$"
]}
}
if [datanode] {
mutate {
replace => { "message" => "%{datanode}" }
add_tag => ["DataNode"]
}
} else if [ambari_server] {
mutate {
replace => { "message" => "%{ambari_server}" }
add_tag => ["Ambari_server"]
}
} else {
mutate {
add_tag => ["Unidentified"]
}
}
}
Am I supposed to use:
- "system.process.cmdline" ?
- "[@metadata][system][process][cmdline]"
- "[_source][system][process][cmdline]"
- this bit was answered by Grok filter not working