Logstash not able to break message into given fields

NITIN-BHAISARE · July 22, 2017, 3:03pm

I have a log which contains java stack traces and a line which is very simple like this:
[id] 002 [uri] /legacy/biology/v2/status
Grok Pattern: [%{DATA:id}]\s%{JAVAFILE:track_id}\s[%{DATA:uri}]\s%{DATA:path}
I am using fielbeat to get these types of line only using following configuration:

- input_type: log
  paths:
    - /home/nitin/nohup.out
  document_type: sys-app
  exclude_lines: ['^[[:space:]]', '^[[:alpha:]]', '^201']

I have two environments my test setup and production setup. On my test env. i can see all logs getting parsed without any grok parse failure. but on my production setup i dont see any grok parse failure but message is not broken into fields. Can somebody please help me this ??

I have been scratching my head for 1 week now..Please if anybody has any idea about this???

Thanks,
Nitin

NITIN-BHAISARE · July 22, 2017, 6:36pm

Although i am getting beats_input_codec_plain_applied...this is weird

magnusbaeck · July 25, 2017, 9:04pm

Please show

your Logstash configuration files and
an example event produced by Logstash (use a stdout { codec => rubydebug } output.

system · August 22, 2017, 9:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Message has not been splitted to fields Logstash	4	562	November 30, 2017
Grokparse failure even grok debugger fine Logstash	9	232	September 1, 2023
Few messages go unparsed from Logstash into Elastic without any failure Logstash	4	1114	May 1, 2017
Logstash is not splitting apache log fields Logstash	2	564	May 22, 2018
Parse sonarqube logs Logstash	6	4100	March 29, 2018

Logstash not able to break message into given fields

Related topics