Logstashs event parsing

funlearning321 · November 1, 2019, 6:18pm

Hello,

i am new to ELK. when i onboarded the below log file, it is going to "dead letter queue" in logstash because logstash couldn't able to process the events. I am not sure which type of plugin to use whether KV plugin or CSV plugin because first half of the events are normal and next half is in KV pair. Any help would be appreciated on how to write the filters.

Below is the sample log format.

25193662345 [http-nio-8080-exec-44] DEBUG c.s.b.a.m.PerformanceMetricsFilter - method=PUT status=201 appLogicTime=1, streamInTime=0, blobStorageTime=31, totalTime=33 tenantId=b9sdfs-1033-4444-aba5-csdfsdfsf, immutableBlobId=bss_c_586331/Sample_app12-sdas-157123148464.txt, blobSize=2862, domain=abc

2519366789 [http-nio-8080-exec-47] DEBUG q.s.b.y.m.PerformanceMetricsFilter - method=PUT status=201 appLogicTime=1, streamInTime=0, blobStorageTime=32, totalTime=33 tenantId=b0csdfsd-1066-4444-adf4-ce7bsdfssdf, immutableBlobId=bss_c_586334/Sample_app15-615223-157sadas6648465.txt, blobSize=2862, domain=cde

Thanks

Badger · November 1, 2019, 7:04pm

Try using a dissect filter to parse the first part of the line, and a kv filter for the rest.

    dissect { mapping => { "message" => "%{someNumber} [%{thread}] %{level} %{class} - %{[@metadata][restOfLine]}" } }
    kv { source => "[@metadata][restOfLine]" field_split => "," }

funlearning321 · November 4, 2019, 7:36pm

Thank you for the reply. i have changed the filter as per the suggestion. But when i run it in the GROK debugger i am getting compiler error. Below is the filter which i have used.

dissect { mapping => { "message" => "%{NUMBER:number} [%{thread}] %{level} %{class} - %{[@metadata][msg]}" } }
    kv {
              source => "[@metadata][msg]"
              include_keys => [ "method", "status", "appLogicTime", "streamInTime", "blobStorageTime", "totalTime", "tenantId", "immutableBlobId", "blobSize", "domain" ]
              field_split_pattern => "\,?\s"
              value_split => "="
       }

Badger · November 4, 2019, 7:40pm

You cannot use a grok debugger to test dissect or kv filters. It is specific to the grok filter.

system · December 2, 2019, 7:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Newbie questions about KV filter Logstash	3	480	July 6, 2017
Logstasg KV Logstash	7	558	February 13, 2018
Grok Filter Logstash	4	132	March 5, 2024
Parsing mixing of json and kv filter in logstash Logstash	6	2547	October 1, 2018
Logstash Filter Logstash	7	449	June 11, 2021

Logstashs event parsing

Related topics