Logstash tags _dateparsefailure - How to separate pasted fields or fields together?

Cristiane_Marcarini · September 15, 2021, 7:02pm

Hi!
I have logs that have fields together or fields pasted together, and I don't know how to separate them. Here's a screenshot of how it looks in Kibana and another how it looks in Logstash.
I need help with this as I'm new around here.
Thank you very much in advance.

Logstash Code:

			else if "performanceLog" in [path]
			{
				grok 
				{
					match 	=> {"message" => "(?<timestamp>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day}-%{TIME:date}) \| %{USERNAME:username} \| %{DATA:balcao} \| %{DATA:server} \| %{DATA:transaction} \| %{BASE16FLOAT:timed}|%{GREEDYDATA:message}" }
					overwrite => [ "message" ]
					match 	=> {"message" => "(?<timestamp>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day}-%{TIME:date}) \| %{USERNAME:username} \| %{DATA:balcao} \| %{DATA:server} \| %{DATA:transaction}\|%{DATA:identificador} \| %{BASE16FLOAT:timed}|%{GREEDYDATA:message}" }
					overwrite => [ "message" ]
					match 	=> {"message" => "(?<timestamp>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day}-%{TIME:date}) \| %{USERNAME:username} \| %{DATA:balcao} \| %{DATA:server} \| %{DATA:transaction}\|%{DATA:volta}\|(?<timestampperformance>%{YEAR:}/%{MONTHNUM:}/%{MONTHDAY:}-%{TIME:})\|%{DATA:identificador} \| %{BASE16FLOAT:timed}|%{GREEDYDATA:message}" }
				}
				mutate 
				{
					add_field => {
							"transaction" => "%{[transaction][0]}"
							"volta" => "%{[transaction][1]}"
							"timestampperformance" => "%{[transaction][2}"
							"identificador" => "%{[transaction][3]}"
					}
				}	
				ruby 
				{
					code => 'event.set("time", (event.get("timed").to_f))'
				}
			}

Badger · September 15, 2021, 8:31pm

Please do not post pictures of text. They are impossible to search, cannot be copied and pasted, and in your case simply impossible to read due to the poor colour contrast.

Cristiane_Marcarini · September 15, 2021, 8:55pm

But have the code, is the same. I put to complete the information. The people can see or not. And the picture I put how the instructions

leandrojmp · September 15, 2021, 9:15pm

The problem with the pictures is that it makes impossible to copy anything and try to simulate your pipeline for example, and sometimes it is hard to see and some people may not be able to see it at all.

If I understood correctly you want to extract information from the transaction field, right?

To access they way you want to access it in the mutate filter, using index positions, you need first to have a mutate splite on this field.

Try to add this in your pipeline:

mutate {
    split => { "transaction" => "|" }
}

So, if your transaction field has the string value of string1|string2|string3, the split filter will create an array with those values and you will have [ string1, string2, string3 ].

This will allow you to access the values using the index position, for example %{[transaction][0]} will return string1.

The _dateparsefailure is a tag added by the date filter, but you didn't share your date filter, so there is no way to know what could be wrong.

system · October 13, 2021, 9:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.