Logstash KV filter for multiline message

Hi Team,

I am creating a KV filter for the following message

1535125123989 error targetResponse m=GET, u=/favicon.ico, h=test.com, r=192.168.1.5:2383, s=404, name=Error, message=no match found for /favicon.ico, code=undefined, stack=Error: no match found for /favicon.ico
at Error (native)
at /apps/apigee/lib/node_modules/edgemicro/node_modules/microgateway-core/lib/config-proxy-middleware.js:114:23
at /apps/apigee/lib/node_modules/edgemicro/node_modules/microgateway-core/lib/gateway.js:40:11
at /apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:718:13
at iterate (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:262:13)
at async.forEachOfSeries.async.eachOfSeries (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:281:9)
at _parallel (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:717:9)
at Object.async.series (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:739:9)
at Server.serverMiddleware (/apps/apigee/lib/node_modules/edgemicro/node_modules/microgateway-core/lib/gateway.js:38:13)
at emitTwo (events.js:106:13)
at Server.emit (events.js:191:7)
at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:546:12)
at HTTPParser.parserOnHeadersComplete (_http_common.js:99:23)

And the logstash conf is as follows

input {
file {

path => "test.log"
type => "logs"
codec => multiline {
  pattern => "^%{NUMBER}"
  negate => true
  what => "previous"
}
start_position => "beginning"

}
}
filter {
grok {
match => {"message" => "%{NUMBER:unixTime} %{LOGLEVEL:severity} %{DATA:eventType} %{GREEDYDATA:logMessage}"}
}

date {
    match => ["unixTime", "UNIX_MS"]
    target => "logTime"
}


kv {
    source => "logMessage"
    trim_key => "<>\[\], "
    field_split => ","
    value_split => "="

}

if "_grokparsefailure" in [tags] {
mutate {
remove_field => [ "@version","path","type","host" ]
remove_tag => ["_grokparsefailure"]
}
} else {

         if [name] == "Error" {
              mutate {
               rename => { "message" => "errorMessage" }
              }
         }

         mutate {
                    rename => { "m" => "httpMethodName" }
                    rename => { "u" => "urlPath" }
                    rename => { "h" => "gatewaybackendHostPort" }
                    rename => { "r" => "clientHostPort" }
                    rename => { "i" => "requestId" }
                    rename => { "d" => "duration" }
                    rename => { "s" => "httpVerb" }
                    gsub => ["requestId", "\r", ""]
                    gsub => ["stack", "\r", ""]
                    gsub => ["stack", "\n", ""]
                    remove_field => [ "@version","path","type","host"]
                }
 }

}

output {
stdout {}
}

And I m getting the following as the output

{
"logMessage" => "m=GET, u=/favicon.ico, h=api.kbmg.com, r=::ffff:192.168.94.5:2383, s=404, name=Error, message=no match found for /favicon.ico, code=undefined, stack=Error: no match found for /favicon.ico\r\n at Error (native)\r\n at /apps/apigee/lib/node_modules/edgemicro/node_modules/microgateway-core/lib/config-proxy-middleware.js:114:23\r\n at /apps/apigee/lib/node_modules/edgemicro/node_modules/microgateway-core/lib/gateway.js:40:11\r\n at /apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:718:13\r\n at iterate (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:262:13)\r\n at async.forEachOfSeries.async.eachOfSeries (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:281:9)\r\n at _parallel (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:717:9)\r\n at Object.async.series (/apps/apigee/lib/node_modules/edgemicro/node_modules/async/lib/async.js:739:9)\r\n at Server.serverMiddleware (/apps/apigee/lib/node_modules/edgemicro/node_modules/microgateway-core/lib/gateway.js:38:13)\r\n at emitTwo (events.js:106:13)\r\n at Server.emit (events.js:191:7)\r\n at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:546:12)\r\n at HTTPParser.parserOnHeadersComplete (_http_common.js:99:23)\r",
"name" => "Error",
"stack" => "Error: no match found for /favicon.ico",
"@timestamp" => 2018-09-10T11:49:07.147Z,
"errorMessage" => "no match found for /favicon.ico",
"httpMethodName" => "GET",
"gatewaybackendHostPort" => "test.com",
"urlPath" => "/favicon.ico",
"logTime" => 2018-08-24T15:38:43.989Z,
"httpVerb" => "404",
"unixTime" => "1535125123989",
"severity" => "error",
"eventType" => "targetResponse",
"tags" => [
[0] "multiline"
],
"code" => "undefined",
"clientHostPort" => "192.168.1.5:2383"
}

I am expecting the stack to have the complete stack trace. Anything wrong with the KV filter or do i have to add something in the configuration file. Kindly help. Thanks

The issue has been fixed by adding a mutate filter to replace \r and \n in the logmessage.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.