Logstash km filter issue


(gopisa) #1

Hi All,

I am facing KV filter issue. any one please help me on this.

I am using kv filter. In that configuration value_split => ":\s" like that i spited my log file . if the any log file contain URL(https://googlr.com\facebook) that is coming in one filter ..

how to split my log file instead of ":". any one help me on this .

input log file

"Payload_exception" : "hhh.Integration.Com.Except.MePatieException:
alert rules can proactively identify and respond to an issue!.

output

		"Timestamp\"" => "2018-09-25T18:24:04.0064206Z",
"Payload_exception\"" => "hhh.Integration.Com.Except.MePatieException: <Error xmlns=",
              "http" => "//google.com/ecoeeement/eeee">",
      "<Message>The" => "alert",
          "rule" => "can",
            "proactively" => "identify",

logstash config

input {
file {
path => "C:\SoftwareInstalls\logstash-2.3.2\testfilter.log"
start_position => "beginning"
codec => multiline {
pattern => "^{"
negate => true
what => previous
auto_flush_interval => 3
}
}
}

filter {

kv{
value_split => ":\s"
field_split => ",\s"
trimkey => ""\ ()"
}

mutate {
remove_field => ['message', 'tags']
}
}

log file

{
"EventId" : "1",
"Keywords" : "1",
"Level" : "Verbose",
"Message" : "",
"Opcode" : "Info",
"Task" : "65534543 WriteVerbose",
"Version" : "0",
"Timestamp" : "2018-09-25T18:15:05.6201608Z",
"Payload_message" : "Message received by system. Set logging level above verbose to disable this message.",
"Payload_MessageType" : "MarkDd",
"Payload_MedseekPatientId" : "",
"Payload_OriginatingMessageId" : "454545-45454-4640-45454-a37ab3c945447",
"EOE" : ""
}
{
"EventId" : "545454",
"Keywords" : "1",
"Level" : "Critical",
"Message" : "",
"Opcode" : "Info",
"Task" : "65545429 WriteException",
"Version" : "0",
"Timestamp" : "2018-09-25T18:15:22.1211900Z",
"Payload_exception" : "hhh.Integration.Com.Except.MePatieException:
alert rules can proactively identify and respond to an issue!

at learned how alert rules can proactively identify and respond to an issue when they run log searches at scheduled intervals and match a particular criteria
at learned how alert rules can proactively identify and respond to an issue when they run log searches at scheduled intervals and match a particular criteria",
"Payload_MessageType" : "Update",
"Payload_OriginatingMessageId" : "8053c528-867e-4d56-aed8-45454545454545",
"Payload_MedseekPatientId" : "",
"EOE" : ""
}

Thanks in advance

Gopisa


(Shiva ) #2

I am facing same kind of issue help me on this ..


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.