Logstash tags _dateparsefailure - How to separate pasted fields or fields together?

Elastic Stack Logstash
1

Hi!
I have logs that have fields together or fields pasted together, and I don't know how to separate them. Here's a screenshot of how it looks in Kibana and another how it looks in Logstash.
I need help with this as I'm new around here.
Thank you very much in advance.

erro dados
erro dados1286×365 27 KB

erro dados log
erro dados log3166×466 21.2 KB

Logstash Code:

			else if "performanceLog" in [path]
			{
				grok 
				{
					match 	=> {"message" => "(?<timestamp>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day}-%{TIME:date}) \| %{USERNAME:username} \| %{DATA:balcao} \| %{DATA:server} \| %{DATA:transaction} \| %{BASE16FLOAT:timed}|%{GREEDYDATA:message}" }
					overwrite => [ "message" ]
					match 	=> {"message" => "(?<timestamp>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day}-%{TIME:date}) \| %{USERNAME:username} \| %{DATA:balcao} \| %{DATA:server} \| %{DATA:transaction}\|%{DATA:identificador} \| %{BASE16FLOAT:timed}|%{GREEDYDATA:message}" }
					overwrite => [ "message" ]
					match 	=> {"message" => "(?<timestamp>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day}-%{TIME:date}) \| %{USERNAME:username} \| %{DATA:balcao} \| %{DATA:server} \| %{DATA:transaction}\|%{DATA:volta}\|(?<timestampperformance>%{YEAR:}/%{MONTHNUM:}/%{MONTHDAY:}-%{TIME:})\|%{DATA:identificador} \| %{BASE16FLOAT:timed}|%{GREEDYDATA:message}" }
				}
				mutate 
				{
					add_field => {
							"transaction" => "%{[transaction][0]}"
							"volta" => "%{[transaction][1]}"
							"timestampperformance" => "%{[transaction][2}"
							"identificador" => "%{[transaction][3]}"
					}
				}	
				ruby 
				{
					code => 'event.set("time", (event.get("timed").to_f))'
				}
			}
2

Please do not post pictures of text. They are impossible to search, cannot be copied and pasted, and in your case simply impossible to read due to the poor colour contrast.

3

But have the code, is the same. I put to complete the information. The people can see or not. And the picture I put how the instructions

4

The problem with the pictures is that it makes impossible to copy anything and try to simulate your pipeline for example, and sometimes it is hard to see and some people may not be able to see it at all.

If I understood correctly you want to extract information from the transaction field, right?

To access they way you want to access it in the mutate filter, using index positions, you need first to have a mutate splite on this field.

Try to add this in your pipeline:

mutate {
    split => { "transaction" => "|" }
}

So, if your transaction field has the string value of string1|string2|string3, the split filter will create an array with those values and you will have [ string1, string2, string3 ].

This will allow you to access the values using the index position, for example %{[transaction][0]} will return string1.

The _dateparsefailure is a tag added by the date filter, but you didn't share your date filter, so there is no way to know what could be wrong.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.