Logstash Index creation and parsing custom app log

jukkendar · August 10, 2016, 2:17pm

I have installed Logstash 2.3.1, elastic search 2.3.1 and Kibana 4.5.0 in windows 2008 server as services.
I can launch Kibana but unable to create Index in Kibana , Refer the log below.
I have verified the below config using command "logstash -f logstash.conf --configtest" and getting Configuration ok. Please suggest why index is not getting created and shown in Kibana.

input {
file {

  path => "E:/logstash/New/Logsetup/log/system.day20160518.log"
  start_position => "beginning"
  type => "logs"
}

}

filter {
grok {
match => { "message" => "%{DATESTAMP:StartTime} %{WORD:code1}-%{WORD:code2} %{WORD:code3} %{WORD:code4} : %{GREEDYDATA:log_message}"}
add_field => [ "StartTime", "%{@timestamp}" ]
}

}

output {
elasticsearch {
type => "logs"
hosts => ["localhost:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}

theuntergeek · August 10, 2016, 2:41pm

This line should not be in your elasticsearch output block configuration, and should actually result in an error (at the very least, a deprecation message):

And these lines are unnecessary as they are the default values:

Also, if you ran with this statement:

more than one time, it will not re-read the file, even with start_position => "beginning". This is because there is a sincedb file created that wants to tail and resume where it left off. For re-reading old log files that will not receive any more data, you can get them to reread by adding sincedb_path => NUL (NUL is like /dev/null for Windows machines).

jukkendar · August 10, 2016, 3:40pm

Thanks for your reply. I have altered the config file as below but no go.

input {
file {

  path => "E:/logstash/New/Logsetup/log/system.day20160518.log"
  sincedb_path => "/dev/null"
  start_position => "beginning"
  type => "logs"
}

}

filter {
grok {
match => { "message" => "%{DATESTAMP:StartTime} %{WORD:code1}-%{WORD:code2} %{WORD:code3} %{WORD:code4} : %{GREEDYDATA:log_message}"}
add_field => [ "StartTime", "%{@timestamp}" ]
}

}

output {
elasticsearch {

}

theuntergeek · August 10, 2016, 3:52pm

As mentioned, /dev/null is for UNIX systems. You have a Windows path, so you should be using sincedb_path => NUL.

You should also test the output by changing the output block to be:

output {
  stdout { codec => rubydebug } 
#  elasticsearch { }
}

With the elasticsearch output disabled, by being commented. You will be able to see output at the command-line this way. If you do not get any output, that will also indicate why the index is not being created.

jukkendar · August 10, 2016, 4:05pm

When I try debugging in command line , getting the below message.

E:\logstash\New\logstash-2.3.1\bin>logstash -f E:\logstash\New\logstash-2.3.1\bi
n logstash.json --debug

T_HANDLER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_service};%{DATA:na
gios_state};%{DATA:nagios_statelevel};%{DATA:nagios_event_handler_name}", :level
=>:info, :file=>"/logstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/jls-g
rok-0.11.2/lib/grok-pure.rb", :line=>"62", :method=>"add_pattern"}←[0m
←[32mAdding pattern {"NAGIOS_HOST_EVENT_HANDLER"=>"%{NAGIOS_TYPE_HOST_EVENT_HAND
LER:nagios_type}: %{DATA:nagios_hostname};%{DATA:nagios_state};%{DATA:nagios_sta
televel};%{DATA:nagios_event_handler_name}", :level=>:info, :file=>"/logstash/Ne
w/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb",
:line=>"62", :method=>"add_pattern"}←[0m
←[32mAdding pattern {"NAGIOS_TIMEPERIOD_TRANSITION"=>"%{NAGIOS_TYPE_TIMEPERIOD_T
RANSITION:nagios_type}: %{DATA:nagios_service};%{DATA:nagios_unknown1};%{DATA:na
gios_unknown2}", :level=>:info, :file=>"/logstash/New/logstash-2.3.1/vendor/bund
le/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb", :line=>"62", :method=>"add_
pattern"}←[0m
←[32mAdding pattern {"NAGIOS_EC_LINE_DISABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL
_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_SVC_CHECK:nagios_command};%{DATA:nagi
os_hostname};%{DATA:nagios_service}", :level=>:info, :file=>"/logstash/New/logst
ash-2.3.1/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb", :line=

"62", :method=>"add_pattern"}←[0m
←[32mAdding pattern {"NAGIOS_EC_LINE_DISABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNA
L_COMMAND:nagios_type}: %{NAGIOS_EC_DISABLE_HOST_CHECK:nagios_command};%{DATA:na
gios_hostname}", :level=>:info, :file=>"/logstash/New/logstash-2.3.1/vendor/bund
le/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb", :line=>"62", :method=>"add_
pattern"}←[0m
←[32mAdding pattern {"NAGIOS_EC_LINE_ENABLE_SVC_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL_
COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_SVC_CHECK:nagios_command};%{DATA:nagios
_hostname};%{DATA:nagios_service}", :level=>:info, :file=>"/logstash/New/logstas
h-2.3.1/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb", :line=>"
62", :method=>"add_pattern"}←[0m
←[32mAdding pattern {"NAGIOS_EC_LINE_ENABLE_HOST_CHECK"=>"%{NAGIOS_TYPE_EXTERNAL
_COMMAND:nagios_type}: %{NAGIOS_EC_ENABLE_HOST_CHECK:nagios_command};%{DATA:nagi
os_hostname}", :level=>:info, :file=>"/logstash/New/logstash-2.3.1/vendor/bundle
/jruby/1.9/gems/jls-grok-0.11.2/lib/grok-pure.rb", :line=>"62", :method=>"add_pa
ttern"}←[0m

theuntergeek · August 10, 2016, 4:22pm

This seems incomplete. The Adding pattern lines aren't helpful and do not indicate any errors. Can you filter those out?

theuntergeek · August 10, 2016, 4:24pm

and in the same grok block:

Is StartTime getting its data from grok, or from @timestamp?

jukkendar · August 10, 2016, 4:59pm

App log file will look like , so used grok timefield based on log.

2016/08/09 00:43:38.169 S-300000 text text : ssytem error.

Updated conf without grok and getting the below error

input {
file {

  path => "E:/logstash/New/Logsetup/log/system.day20160518.log"
  sincedb_path => "Nul"
  start_position => "beginning"
  type => "logs"
}

}

output {
stdout { codec => rubydebug }
elasticsearch { }
}

←[36mconfig LogStash::Inputs::File/@delimiter = "\n" {:level=>:debug, :file=>"/l
ogstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java
/lib/logstash/config/mixin.rb", :line=>"153", :method=>"config_init"}←[0m
←[36mconfig LogStash::Inputs::File/@ignore_older = 86400 {:level=>:debug, :file=

"/logstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-
java/lib/logstash/config/mixin.rb", :line=>"153", :method=>"config_init"}←[0m
←[36mconfig LogStash::Inputs::File/@close_older = 3600 {:level=>:debug, :file=>"
/logstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-ja
va/lib/logstash/config/mixin.rb", :line=>"153", :method=>"config_init"}←[0m
←[36mPlugin not defined in namespace, checking for plugin file {:type=>"output",
:name=>"stdout", :path=>"logstash/outputs/stdout", :level=>:debug, :file=>"/log
stash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/l
ib/logstash/plugin.rb", :line=>"76", :method=>"lookup"}←[0m
←[32mstarting agent {:level=>:info, :file=>"/logstash/New/logstash-2.3.1/vendor/
bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/agent.rb", :line=>"2
07", :method=>"execute"}←[0m

magnusbaeck · August 10, 2016, 5:33pm

If the modification time of system.day20160518.log is older than 24 hours you need to adjust the file input's ignore_older option.

jukkendar · August 10, 2016, 5:55pm

I tried after changing the DATESTAMP with current date as a file name and also the DATESTAMP
inside the log file also.

Even though i am getting a same error as i posted below:

E:\logstash\New\logstash-2.3.1\bin>logstash -f logstash.json --debug
io/console not supported; tty will not be manipulated
←[36mReading config file {:config_file=>"E:/logstash/New/logstash-2.3.1/bin/logs
tash.json", :level=>:debug, :file=>"/logstash/New/logstash-2.3.1/vendor/bundle/j
ruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/config/loader.rb", :line=>"6
9", :method=>"local_config"}←[0m
←[36mPlugin not defined in namespace, checking for plugin file {:type=>"input",
:name=>"file", :path=>"logstash/inputs/file", :level=>:debug, :file=>"/logstash/
New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/log
stash/plugin.rb", :line=>"76", :method=>"lookup"}←[0m
←[36mPlugin not defined in namespace, checking for plugin file {:type=>"codec",
:name=>"plain", :path=>"logstash/codecs/plain", :level=>:debug, :file=>"/logstas
h/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/l
ogstash/plugin.rb", :line=>"76", :method=>"lookup"}←[0m
←[36mconfig LogStash::Codecs::Plain/@charset = "UTF-8" {:level=>:debug, :file=>"
/logstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-ja
va/lib/logstash/config/mixin.rb", :line=>"153", :method=>"config_init"}←[0m
←[36mconfig LogStash::Inputs::File/@path = ["E:/logstash/New/Logsetup/log/system
.day20160810.log"] {:level=>:debug, :file=>"/logstash/New/logstash-2.3.1/vendor/
bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/config/mixin.rb", :l
ine=>"153", :method=>"config_init"}←[0m
←[36mconfig LogStash::Inputs::File/@sincedb_path = "Nul" {:level=>:debug, :file=

"/logstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-
java/lib/logstash/config/mixin.rb", :line=>"153", :method=>"config_init"}←[0m
←[36mconfig LogStash::Inputs::File/@start_position = "beginning" {:level=>:debug
, :file=>"/logstash/New/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-cor
e-2.3.1-java/lib/logstash/config/mixin.rb", :line=>"153", :method=>"config_init"
}←[0m

theuntergeek · August 10, 2016, 8:24pm

I wouldn't even bother with grok before ensuring that data flows. You can comment out the entire filter block with # on each line. If you don't see data flowing, chasing grok is not going to help.

Try the ignore_older suggestion from @magnusbaeck. I'm also not sure whether Nul and NUL are the same to Windows, so I suggest making Nul into NUL.

jukkendar · August 15, 2016, 9:25am

I have my log file name like 00331_ln2_systemday20160814 , so when creating a index I want to add 2 new fields like store no from file name "00331" and Laneno as "ln2". Refer my grok file below.
Help me to add add_fields.

filter {
grok {
match => { "message" => "%{DATESTAMP:timestamp} %{WORD:code1}-%{WORD:code2} %{WORD:code3} %{WORD:code4} : %{GREEDYDATA:log_message}" }
break_on_match => false
}
}

magnusbaeck · August 15, 2016, 10:39am

You'll find the path to the file in the path field, so just add a grok filter that extracts the desired fields from that field.

jukkendar · August 15, 2016, 11:04am

Thanks magnus for quick reply. Do you mean the below line is correct? . Path has full file path, so is there any param for filename?

Please share me some example.

add_field => {"Store_num","%{GREEDYDATA}/%{GREEDYDATA:path}"}

magnusbaeck · August 15, 2016, 7:41pm

Do you mean the below line is correct?

No. For starters it's not a grok filter.

Path has full file path, so is there any param for filename?

grok {
  match => {
    "path" => "/(?<filename>[^/]+)$"
  }
}

I gave this exact example and explained how it worked in another thread just a few days ago.

Topic		Replies	Views
Logstash not creating index on elasticsearch Logstash	5	4704	May 17, 2017
Unable to create index Kibana	13	7607	May 5, 2017
Can not create an index Logstash	5	292	January 6, 2021
Logstash has started but no elastic search index created in kibana Logstash	3	832	November 6, 2018
Logstash does not create index and doesn't give out any errors. Help Logstash	11	5565	July 6, 2017

Logstash Index creation and parsing custom app log

Related topics