Logstash not able to break message into given fields

NITIN-BHAISARE · July 22, 2017, 3:03pm

I have a log which contains java stack traces and a line which is very simple like this:
[id] 002 [uri] /legacy/biology/v2/status
Grok Pattern: [%{DATA:id}]\s%{JAVAFILE:track_id}\s[%{DATA:uri}]\s%{DATA:path}
I am using fielbeat to get these types of line only using following configuration:

- input_type: log
  paths:
    - /home/nitin/nohup.out
  document_type: sys-app
  exclude_lines: ['^[[:space:]]', '^[[:alpha:]]', '^201']

I have two environments my test setup and production setup. On my test env. i can see all logs getting parsed without any grok parse failure. but on my production setup i dont see any grok parse failure but message is not broken into fields. Can somebody please help me this ??

I have been scratching my head for 1 week now..Please if anybody has any idea about this???

Thanks,
Nitin

NITIN-BHAISARE · July 22, 2017, 6:36pm

Although i am getting beats_input_codec_plain_applied...this is weird

magnusbaeck · July 25, 2017, 9:04pm

Please show

your Logstash configuration files and
an example event produced by Logstash (use a stdout { codec => rubydebug } output.

system · August 22, 2017, 9:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.