Logstash how to different format message

Champion_Xie · August 24, 2020, 9:03am

07/20/20 00:48:28 INFO hello 353 us.(channel/Channel.cpp:575)
07/20/20 00:48:28 INFO transfercity:bj(city/cityTransferQueryBusiness.cpp:72)
07/20/20 00:48:29 INFO transferQuery city 965380 us.(channel/Channel.cpp:575)

how to parse match all lines

Champion_Xie · August 24, 2020, 9:04am

filter {
mutate {
    split => ["message"," INFO  "]
}

mutate {
    add_field =>   {
      "srsdate" => "%{[message][0]}"
      "temp1" => "%{[message][1]}"
    }
}

mutate {
  split => ["temp1", "("]
  add_field => {
      "other" => "%{[temp1][1]}"
      "useinfo" => "%{[temp1][0]}"
  }
  remove_field => ["other","message","temp1"]
}

 if [useinfo] =~ ":" {
   mutate {
     add_field => {
         "action" => "%{useinfo[0]}"
         "domain" => "%{useinfo[1]}"
     }
   }
 }

Badger · August 24, 2020, 3:48pm

That should get you an ambiguous reference error and logstash will likely fail to start. It should be %{[useinfo][0]}, although I do not see where you are actually doing a split on useinfo.

I would do this all using dissect.

dissect { mapping => { "message" => "%{ts} %{+ts} %{loglevel} %{messageBit}(%{filename}:%{lineNumber})%{}" } }

Champion_Xie · August 25, 2020, 2:32am

That's a cool way

Ultimately, if i want to remove Somenum and us. from messageBit, the following code can be implemented, and it's not sure if there's a better solution

filter {
dissect { mapping => { "message" => "%{ts} %{+ts} %{loglevel} %{messageBit}(%{})%{}" } }

mutate {
    strip => ["messageBit"]
}

if [messageBit] =~ ":" {
  mutate {
    split => ["messageBit",":"]
      add_field => {
        "action" => "%{[messageBit][0]}"
        "domain" => "%{[messageBit][1]}"
      }
  }
} else {
  if [messageBit] =~ " us." {
    mutate {
      split => ["messageBit"," us."]
      add_field => {
         "submsg" => "%{[messageBit][0]}"
     }
   }
mutate {
   split => ["submsg"," "]
     add_field => {
       "subact1" => "%{[submsg][0]}"
       "subact2" => "%{[submsg][1]}"
       "action" => "%{subact1}%{subact2}"
       }

       remove_field => ["subact1","subact2","submsg","loglevel"]
   }
 }

}
}

Champion_Xie · August 29, 2020, 4:11am

I look forward to more help @Badger

system · September 26, 2020, 4:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.