Missing data from logstash to elasticsearch


(mohamed) #1

Not all of data are passing from logstash to elasticsearch


(David Pilato) #2

Please don't post images of text as they are hardly readable and not searchable.

Instead paste the text and format it with </> icon. Check the preview window.


(mohamed) #3

pfelogsvn.conf
<input {
file {
path => "/home/mohamed/Bureau/logstash/logstash-6.1.3/logsvn.log"
start_position => beginning
sincedb_path => "dev/null"

}

}
filter {

grok{

match => [ "message", "%{USERNAME:user} | %{GREEDYDATA:statut} | %{GREEDYDATA:date} %{TIME:heure} +%{INT:temps} (%{GREEDYDATA:jour}) | %{GREEDYDATA:nbl}",
"message", "%{GREEDYDATA:nb}"]

}
if [message] == "------------------------------------------------------------------------" {
drop { }
}
if [nb] == "------------------------------------------------------------------------" {
drop { }
}
if [message] =~ /^\s*$/ {
drop { }
}
if [nb] == "^$" {
drop { }
}
}
output {
elasticsearch {
hosts =>["localhost:9200"]
manage_template =>false
index => "pfe7"
document_type=>"system_logs"

}
stdout { codec => rubydebug }
}>

i have used this configuration to run data from logstash to elasticsearsh but i have met a problem ,not all the data is passing to elasticsearch


(David Pilato) #4

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.


(mohamed) #6

i didn't understand your request


(David Pilato) #7

Your code is not correctly formatted. No indentation, hard to read.


(system) closed #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.