Logstash not parser correctly with dissect

Hello everyone! how are they? I need to consult them. I am parsing the logs of a service, the following come this way:

|@ TIMESTAMP || DATE1 || DATE2 || DATE3 || DATE4 || DATE5 || DATE6 @|

However, when I see the logs in Kibana, in the field message it returns 2, 3 or even 4 records together:

|@ TIMESTAMP || DATE1 || DATE2 || DATE3 || DATE4 || DATE5 || DATE6 @| |@ TIMESTAMP || DATE1 || DATE2 || DATE3 || DATE4 || DATE5 || DATE6 @| |@ TIMESTAMP || DATE1 || DATE2 || DATE3 || DATE4 || DATE5 || DATE6 @| |@ TIMESTAMP || DATE1 || DATE2 || DATE3 || DATE4 || DATE5 || DATE6 @|

my configuration is as follows:

input {
beats {
port => 5444
}
}

filter {
mutate {
gsub => [ "message", "\n", " " ]
}
dissect {
mapping => {
"message" => "|@ %{logtimestamp} || %{addr} || %{user} || %{type} || %{info} || %{blank} || %{interface} @|"
}
}
mutate {
add_field => { "newtimestamp" => "%{logtimestamp}" }
remove_field => ["logtimestamp"]
}
date {
locale => "es-AR"
match => ["newtimestamp", "yyyy-MM-dd-HH.mm.ss.SSSSSS"]
timezone => "America/Argentina/Buenos_Aires"
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}
}

output {
stdout {
codec => rubydebug
}
elasticsearch {
index => "gvplogs"
hosts => "elasticsearch:9200"
}
}

What I can be doing wrong? I'm missing something that I don't have in mind?

Thank you!

Is each entry coming on a separate line? It looks like you may be missing newlines between the records there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.