Logstash not creating new field

kitex · December 18, 2016, 2:36am

My Log Line:

2016-12-18 05:30:46 kannel 2016-12-18 05:30:46 SMS HTTP-request sender:44176845678 request: 'The Today Date "18/12/2016",Adam Smith "18/12/2016",and Time "05:30"

I have installed logstash from rpm package manager. I have used filebeat as log shipper.

My configuration:

input {
        beats {
                port => 5000
          }
}

filter {
        if "sender:" in [message]  {
                        grok {
                                match => { "message" => "%{TIMESTAMP_ISO8601:senttime} %{GREEDYDATA:hostname} %{TIMESTAMP_ISO8601:timestamp} %{WORD:type} %{GREEDYDATA:method} sender:%{WORD:phno} request: %{GREEDYDATA:txtmessage}" }
                    }

                     mutate {
                          add_field => { "senttime" => "%{senttime}"}
                        }
        }else{
                 drop { }
            }
        }

output {
                 elasticsearch {
                        hosts => [ "192.20.10.12:9200" ]
                        index => "sender_log"
                }
}

I have also tried to add field in grok itself:

 grok {
                                match => { "message" => "%{TIMESTAMP_ISO8601:senttime} %{GREEDYDATA:hostname} %{TIMESTAMP_ISO8601:timestamp} %{WORD:type} %{GREEDYDATA:method} sender:%{WORD:phno} request: %{GREEDYDATA:txtmessage}" }
                add_field => [ "senttime", "%{senttime}" ]
}

I am trying to add field using mutate but the field content is %{senttime} instead of 2016-12-18 05:30:46 itself. How do I add content as per match. Also, how do i dynamically specify optput index?

magnusbaeck · December 20, 2016, 9:16pm

Your mutate filter serves no purpose, remove it. Listing add_field => [ "senttime", "%{senttime}" ] in the grok filter is equally pointless.

It sounds like your grok filter doesn't match. Are your events getting a _grokparsefailure tag?

Also, how do i dynamically specify optput index?

The index option supports %{name-of-field} references so you can piece together an index name based on one or more fields.

kitex · December 23, 2016, 7:26am

Yes. There was grokparsefailure.I changed it then it worked.Thank you !

system · January 20, 2017, 7:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.