The grok is right has been tested on grok debugger and splits the message to fields.
In logstash.conf in filter message passes grok and stays not splitted.
On Kibana I see message in quotes and not splitted , even names of fields that I gave not appear.
Don't describe the configuration and the unwanted results. Show them.
the filter is:
filter{
if [type] == "xlpc" {
grok {
break_on_match => true
keep_empty_captures => false
match => {
message => [
"%{NUMBER:threadid};%{TIMESTAMP_ISO8601:eventutctime};%{DATA:username};%{JAVACLASS:apiname};%{WORD:apireturnstatus};%{WORD:componentname};%{BASE10NUM:customisation-level};%{BASE10NUM:cputimeinmillisec};%{WORD:runmode};%{WORD:errorcodeiffailure}",
"%{NUMBER:threadid};%{TIMESTAMP_ISO8601:eventutctime};%{DATA:username};%{JAVACLASS:apiname};%{WORD:apireturnstatus};%{WORD:componentname};%{BASE10NUM:customisation-level};%{BASE10NUM:cputimeinmillisec};%{WORD:runmode};(%{GREEDYDATA:errorcodeiffailure})\s*%{GREEDYDATA:error_description}"
]
}
patterns_dir => "C:\DoLense\Patterns\patterns"
}
date {
match => ["eventutctime" , "yyyy-MM-dd HH:mm:ss.SSS"]
}
}
}
message stays as was :
{
"_index": "logstash-2017.11.01",
"_type": "logs",
"_id": "uNMmeF8BckcNrt9keZMl",
"_score": 1,
"_source": {
"@timestamp": "2017-11-01T15:14:59.384Z",
"offset": 13658,
"@version": "1",
"beat": {
"name": "SHARONSA02V",
"hostname": "SHARONSA02V",
"version": "6.0.0-beta2"
},
"host": "SHARONSA02V",
"source": """C:\data\XL\ABPAuditLog_20171011034431.log.bak""",
"message": "3506;2017-09-11 03:44:32.745;San1348;amdocs.csm3g.local.implementation.ImplementationClassServicesProxy.getValidValues;S;CM;1;0.723;EJB;null",
"tags": [
"beats_input_codec_plain_applied"
]
}
}
message not splitted
if [type] == "xlpc" {
This condition isn't true in your example.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.