Matching/Finding certain text using logstash filter

spravn789 · April 26, 2016, 10:19am

I have a text with [INFO or ERROR or Warn] concatenated with few other texts, which i am able to get under greedy data, But I want to split those Log Level values under new field.

Sample Text: 2016 Apr 26 15:44:40:603 GMT +0530 BW.Service-1-Service Info [BW-User] - Job-8309-2 [Logger/LogToLocal.process/Log]: Processed Service_01 with BusinessObjectId:1111 and ConversationId:11111 and MessageId:1111
If reg ex is the solution, kindly suggest with example.
Help or suggestion would be very helpful.

magnusbaeck · April 26, 2016, 4:58pm

Use a grok filter to extract new fields from text in existing fields. Show us what you have so far. Presumably you already have a grok filter to parse the line. In the example above, is "Info" right after "BW.Service-1-Service" the string you want to extract?

spravn789 · April 30, 2016, 9:16am

Hi Magnus
Thanks for the reply,

Yes it is right after that. I am now able parse the text like below using the grok filter.

Text: 2016 Apr 26 15:44:40:603 GMT +0530 BW.Service-1-Service Info [BW-User] - Job-8309-2 [Logger/LogToLocal.process/Log]: Processed Service_01 with BusinessObjectId:1111 and ConversationId:11111 and MessageId:1111

%{YEAR} %{MONTH} %{MONTHDAY} %{TIME} GMT +%{INT} %{PROG:program} %{WORD:loglevel} [%{USER:auth}] %{GREEDYDATA:BwLog1}

Getting matched and able to see the data in kibana.

But in Kibana Visualization, these tags PROG:program is not showing up for filtering.. Same is available in Discover section but not in Visualization.

magnusbaeck · April 30, 2016, 2:31pm

But in Kibana Visualization, these tags PROG:program is not showing up for filtering.. Same is available in Discover section but not in Visualization.

Sorry, I don't quite understand what the problem is. Maybe a screenshot would make it easier for you to explain what the problem.

spravn789 · June 13, 2019, 8:48am

Below is the Discover and Visualization /pie chart sections screen shots.

Program section getting displayed under discover is not getting displayed in visualization.

spravn789 · May 2, 2016, 5:15am

Hi Magnus,
I found the solution, By Refreshing the settings section able to get the field in visualization section.

Can you give brief explain for what is Analysed Field and Indexed Field.

Thanks in advance.

magnusbaeck · May 3, 2016, 11:04am

See the description of the index attribute for fields for a definition of these terms: https://www.elastic.co/guide/en/elasticsearch/guide/current/mapping-intro.html#_index_2

See https://www.elastic.co/guide/en/elasticsearch/guide/current/analysis-intro.html for a description of what analysis is all about.

spravn789 · September 21, 2016, 9:04am

Hi Magnus,

Everything was working fine. Suddenly facing few issues.

We have 4 different machine running logstash, and shipping data to elasticsearch running in different machine on same network. Issue are as below,

In kibana, not able to view data from 3 machines, only one machine data is visible on kibana.
In Kibana when i do monitoring particular field, and tried to sort that, receiving error as
Failed to execute [org.elasticsearch.action.search.SearchRequest@74a9c9f4] lastShard [true],nested: IllegalStateException[Field data loading is forbidden on [jobid]];,Caused by: java.lang.IllegalStateException: Field data loading is forbidden on [jobid]

magnusbaeck · September 21, 2016, 10:57am

Please start new threads for your new problems instead of reviving old threads that discuss something else.

system · July 6, 2017, 4:37am