Mutate "message" don't understand example

Elastic Stack Logstash
#1

I read the Example about mutating a fiel in logstash but I don't understand the syntax correctly.

After parsing I want to replace the whole "message" with the %{GREEDYDATA} part.

so i tried:
if [type] == "apache-error" { grok { match => { "message" => "\[%{DATA:LogID}\]\s\[%{TIMESTAMP_ISO8601:timestamp}\]\s\[.*: %{LOGLEVEL:loglevel}\]\s\[\w+: %{NUMBER:pid}\]\s\[%{IPORHOST:client}\:%{POSINT:port}\]\s\[%{DATA:src filename}\]\s(\[%{DATA:errorstatus}\])?%{GREEDYDATA:message}" } } date { #match => [ "timestamp", "TIMESTAMP_ISO8601"] match => [ "timestamp", "YYYY-MM-dd HH:mm:ss.SSSSSS" ] } mutate { replace=> { "message" => "%{GREEDYDATA}" } remove_field => [ "timestamp", "tags", "input_type" ] remove_tag => [ "beat.name","beat.version","_score","_type" ] } }

But Kibana shows me only message: %GREEDYDATA
So how can i replace the message after parsing with %GREEDYDATA ?

#2

The GREEDYDATA part should already be stored in the message field as that is what your configuration shows. If this is not working, possibly as the message field is being processed, you could change the name of the captured field to something else, e.g. message1. You can then replace the message field with the message1 field in your mutate filter and then drop the message1 field.

1 Like
#3

You need to include overwrite => ["message"] in your grok filter.

#match => [ "timestamp", "TIMESTAMP_ISO8601"]

Don't conflate grok patterns with date patterns. You could've used ISO8601 here.

replace=> { "message" => "%{GREEDYDATA}" }

This doesn't make sense since you don't have a field named GREEDYDATA. Remove it.

remove_tag => [ "beat.name","beat.version","_score","_type" ]

Multiple problems:

2 Likes
#4

Thank you both for fast responding, trying again.

#5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.