Logstash is not breaking the logs

shruti51 · October 7, 2018, 9:29am

Hi,

Logstash is not breaking the logs It is throwing the error:

[2018-10-07T13:57:46,327][WARN ][org.logstash.dissect.Dissector] Dissector mapping, pattern not found {"field"=>"message
", "pattern"=>"%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}

Please help.

Christian_Dahlqvist · October 7, 2018, 4:44pm

Please show the configuration that resulted in this error.

shruti51 · October 8, 2018, 11:50am

HI Christian,

Please find the config file.
input {
beats {
port => 5044
}
}

The filter part of this file is commented out to indicate that it is

optional.

filter {

	if [fields][log_type] == "SP-SAG" {
	if "JMS Message In" in [message] {
		dissect {
			mapping => { 
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{Filler1}##%{Correlation_Id}##%{Filler2}##%Service Started : %{StartServiceMessage}##%{Filler3}##%{Filler4}##%{Filler5}##%{Filler6}##%{ServiceContextId}##%{UserName}##%{Filler7}##JMS Message In : %{sourcexmlfile}" }
		}
		xml {
			source => "sourcexmlfile"
			store_xml => false
			xpath => ["/ZWP_PLU03/IDOC/EDI_DC40/DOCNUM/text()", "idoc_no"]
			xpath => ["/ZWP_PLU03/IDOC/E1WPA01[@SEGMENT='1']/FILIALE/text()", "store_no"]
		}
		mutate { 
			remove_field => [ "sourcexmlfile" ]
		}
	}
	if "TARGET MESSAGEJMS Message Out" in [message] {
		dissect {
			mapping => { 
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{IDOC}##%{Correlation_Id}##%{Filler1}##%END SERVICE MESSAGE - SERVICE NAME : %{EndServiceMessage}##%{Filler2}##%{Filler3}##%{Filler4}##%{Filler5}##%{ServiceContextId}##%{UserName}##%{Filler6}##TARGET MESSAGEJMS Message Out : %{targetxmlfile}" }
		}
		xml {
			source => "targetxmlfile"
			store_xml => false
			xpath => ["/FILE/@batchNo", "target_idoc_no"]
			xpath => ["/FILE/TRANSACTION/PRICE/PRICES/PRODUCT_PRICE/@price_band", "store_no"]
		}
		mutate { 
			remove_field => [ "targetxmlfile" ]
		}
	}
	if "Validation is success" in [message] {
		dissect {
			mapping => { 
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{IDOC}##%{Correlation_Id}##%{Filler1}##%{SourceValidationMessage}##%{Filler2}##%{Filler3}##%{Filler4}##%{Filler5}##%{ServiceContextId}##%{UserName}##%{Filler6}##%{Filler7}" }
		}
					
	
	if "##ERROR CODE" in [message] {
		dissect {
			mapping => {
				message => "%{Timestamp} ##%{HostName}##%{Service_Name}##%{RICEF}##%{IDOC}##%{Correlation_Id}##%{Filler1}##END SERVICE MESSAGE - SERVICE NAME : %{EndServiceMessage}##%{Filler2}##%{Filler3}##%{Filler4}##%{Filler5}##%{ServiceContextId}##%{UserName}##%{Filler6}##%{ERRORMESSAGE}"
			}
		}
	}
}

}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "elkrft-ind-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}

system · November 5, 2018, 12:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.