Logstash is not splitting apache log fields

mriggy · April 24, 2018, 12:47am

Hello,

I am trying to parse apache access logs and assign a value to each field. The problem is that the whole message goes into the message field instead. Could you please help with parsing.

conf file:

filter {
  if [fields.apachetype] =~ "error" {
    grok {
      patterns_dir => [ "/etc/logstash/patterns.d" ]
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  } else if [fields.apachetype] =~ "access" {
    grok {
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  }
}

magnusbaeck · April 24, 2018, 6:18am

[fields][apachetype], not [fields.apachetype]. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references.

system · May 22, 2018, 6:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuration if [path] =~ "access" not working Logstash	7	1282	October 3, 2019
Parsing specific values from logs in logstash configuration Logstash	9	984	March 16, 2017
Parsing apache logs - COMBINEDAPACHELOG & COMMONAPACHELOG not working Logstash	1	2606	May 9, 2017
Logstash not able to break message into given fields Logstash	3	531	August 22, 2017
Message has not been splitted to fields Logstash	4	562	November 30, 2017

Logstash is not splitting apache log fields

Related topics