bsilsy
February 15, 2022, 1:55pm
1
good day everyone!
send data using filebeat
message log example
"message": "10.10.10.10 - text [15/Feb/2022:15:27:27 +0300] 0.170 \"POST /text/ HTTP/1.1\" 200 735 \"-\" \"-\" \"text\" \"-\" \"-\" \"text\" \"111111111111\" \"text\""
my conf pipeline
input {
beats {
host => "0.0.0.0"
port => 5044
}
}
filter {
grok {
match => { "message" => "%{IPV4:ip} - %{WORD:text1} \[%{HTTPDATE:timestamp}\] %{NUMBER:duration} \\"%{WORD:text2} \/%{WORD:text3}/ HTTP/%{NUMBER:httpversion} *?%{DATA:rawrequest} %{NUMBER:response} %{NUMBER:bytes} \\"-\\" \\"-\\" \\"%{WORD:text4}\\" \\"-\\" \\"-\\" \\"%{WORD:text5}\\" \\"%{NUMBER:id}\\" \\"%{WORD:text5}\\"" }
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "myindex-%{+YYYY.MM.dd}"
}
}
it is working at grok debugger
i need any help, thanks!
Badger
February 15, 2022, 5:24pm
2
Try
grok { match => { "message" => '%{IPV4:ip} - %{WORD:text1} \[%{HTTPDATE:timestamp}\] %{NUMBER:duration} "%{WORD:text2} \/%{WORD:text3}/ HTTP/%{NUMBER:httpversion}" *?%{DATA:rawrequest} %{NUMBER:response} %{NUMBER:bytes} "-" "-" "%{WORD:text4}" "-" "-" "%{WORD:text5}" "%{NUMBER:id}" "%{WORD:text5}"' } }
Note that you have two [text5] fields.
bsilsy
February 16, 2022, 5:52am
3
I renamed one of the Text5 fields
I tried changing the " to ' as you indicated, but it didn't help. I also get get _grokparsefailure tag on 100% of documents.
if I add to the filter, if [event][module] == "nginx", then I get 50-60% _grokparsefailure tag, but the fields I need are not visible.
I apologize for not the best screenshots
in the log I get
[logstash.outputs.elasticsearch] Using a default mapping template {:es_version=>7, :ecs_compatibility=>:disabled}
tried adding a string to output, but it didn't change anything
ecs_compatibility => "v1"
Badger
February 16, 2022, 6:30pm
4
If your grok is not matching then see here , also here .
system
March 16, 2022, 6:30pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
