We have been running elk on Windows for years and its come to the point where we cant upgrade. The filters dont work at all.
instead of using beats i tried to mount the shares again but the performance is terrible.
If i go without filters in beats i get ~6k /s indexing. with filtering it went down to 5-15 / s.
Made a new linux machine to have everything in as its easier to maintain.
Converted the filter to work on linux if i mount shares and use that for input but when using beats it stops working.
grok-patterns
GREEDYXML (.<?xml.)
GREEDYASMXML (.<asm.)
filter:
filter {
if ("reqlog" in [tags]) {
grok {
patterns_dir => ["/etc/logstash/grok-patterns"]
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{TIMESTAMP_ISO8601:timestampLocal}%{SPACE}%{WORD:thread}%{SPACE}%{WORD:nodeId}%{SPACE}%{WORD:type}\s%{GREEDYDATA:module}\s%{WORD:service}\s%{INT:nicelevel}\s%{INT:total_ms}\s%{INT:execution_ms}\s%{INT:transaction_ms}\s%{INT:statement_ms}\s%{INT:commit_ms}\s%{INT:istakeover}\s%{INT:status}" ,
"message", "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{TIMESTAMP_ISO8601:timestampLocal}%{SPACE}%{WORD:thread}%{SPACE}Conn:%{WORD:nodeId}%{SPACE}%{WORD:type}\s%{GREEDYDATA:module}\s%{WORD:service}\s%{INT:nicelevel}\s%{INT:total_ms}\s%{INT:execution_ms}\s%{INT:transaction_ms}\s%{INT:statement_ms}\s%{INT:commit_ms}\s%{INT:istakeover}\s%{INT:status}",
"message", "%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{TIMESTAMP_ISO8601:timestampLocal}%{SPACE}%{WORD:thread}%{SPACE}%{WORD:nodeId}%{SPACE}%{WORD:type}%{SPACE}%{WORD:takeovernode}%{SPACE}%{WORD:module}.%{WORD:service}\s%{INT:nicelevel}\s%{INT:total_ms}\s%{INT:execution_ms}\s%{INT:transaction_ms}\s%{INT:statement_ms}\s%{INT:commit_ms}\s%{INT:istakeover}\s%{INT:status}"]
}
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
convert => { "nicelevel" => "integer" }
convert => { "total_ms" => "integer" }
convert => { "execution_ms" => "integer" }
convert => { "transaction_ms" => "integer" }
convert => { "statement_ms" => "integer" }
convert => { "commit_ms" => "integer" }
convert => { "istakeover" => "integer" }
convert => { "status" => "integer" }
}
}
else {
multiline {
pattern => "^#"
negate => true
what => "previous"
}
if [message] =~ /.+/ {
grok {
patterns_dir => ["/etc/logstash/grok-patterns"]
match => [ "message", "(?m)%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:thread}%{SPACE}%{WORD:nodeid}%{SPACE}%{LOGLEVEL:level}\s%{DATA:class}\s%{GREEDYDATA:messagetext}\s%{GREEDYXML:messagexml}" ,
"message", "(?m)%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:thread}%{SPACE}Conn:%{WORD:nodeid}%{SPACE}%{LOGLEVEL:level}\s%{DATA:class}\s%{GREEDYDATA:messagetext}\s%{GREEDYXML:messagexml}" ,
"message", "(?m)%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:thread}%{SPACE}%{WORD:nodeid}%{SPACE}%{LOGLEVEL:level}\s%{DATA:class}\s%{GREEDYDATA:messagetext}",
"message", "(?m)%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:thread}%{SPACE}Conn:%{WORD:nodeid}%{SPACE}%{LOGLEVEL:level}\s%{DATA:class}\s%{GREEDYDATA:messagetext}",
"message", "(?m)%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:thread}%{SPACE}Conn:%{WORD:nodeid}%{SPACE}IP:%{WORD:ip}\s%{LOGLEVEL:level}\s%{DATA:class}\s%{GREEDYDATA:messagetext}"
]
}