Mutate | Some logs are parsed some not

thirty2 · January 28, 2019, 2:26pm

Hi,

did you ever observed that some logs are parsed and some not when using MUTATE filter?

Thanks

guyboertje · January 29, 2019, 12:29pm

We need more information to be able to help. The mutate filter has many sub functions.

thirty2 · January 30, 2019, 8:35am

Filter is really simple, and i can see that some logs have the new tag and some not.

filter {
     mutate {
     add_tag => [ "beparsed" ]
  }
 }

output {
elasticsearch {
index => "logstash-%{+xxxx.ww}"
hosts => ["[ip]:9200","[ip]:9200","[ip]:9200"]
manage_template => true
}
}

Also tried:

  filter {
	json {
       source => "rawdata"
       skip_on_invalid_json => true
         }
         mutate {
         add_tag => [ "beparsed" ]
      }
     }

guyboertje · January 30, 2019, 12:25pm

Using mutate/add_tag in this way should add a tag to every event (log).

Which version of Logstash and the mutate plugin are you using?

bin/logstash --version
bin/logstash-plugin list --verbose | grep mutate

thirty2 · January 31, 2019, 8:09am

It is:
logstash 5.2.1
logstash-filter-mutate (3.1.3)

i also tried:

filter {
     json {
       source => "rawdata"
       skip_on_invalid_json => true
  }
     mutate {
       remove_field => [ "host01", "timestamp", "type" ]
 }
}

And it is the same, some logs are parsed some not. The reason why i want to do that is because i am getting raw logs with no structure. So i have applied simple filter and i was able to see logs in Kibana with structure, containing fields from the raw log. But not all of them, that is the problem.

guyboertje · January 31, 2019, 9:38am

I don't have an explanation why some events are not being seen in kibana.

As a comparison, you should try 6.6.0 of the Stack.

system · February 28, 2019, 9:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.