hello guys,
my grok debugger pattern output doesn't look like the kibana output !! any idea !
here is in kibana :
i think is a multiline problem! i added the multiline codec in the input of logstash also i tried with filebeat.yml but not working!
here is in kibana :
Based on what you have shown I find it hard to see what the problem is. It might help if you show the full JSON of a ducument that has been incorrectly parsed.
2019-03-11 11:12:40,670 ERROR [org.hibernate.util.JDBCExceptionReporter] ORA-28144: Echec de l'exécution du gestionnaire d'audit détaillé
ORA-20417: ERROR SECURITY DATA
ORA-06512: à "PRODUCTION_AUDIT", ligne 39
ORA-06512: à ligne 1
and this is the pattern used that correctly match in grok debugger:
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:Loglevel} \[(?<classname>[^\]]+)\] %{GREEDYDATA:Error}(?<msg>[^\)]+)What does the resulting JSON documents in Elasticsearch look like?
{
"_index": "filebeat-2019.04.08",
"_type": "doc",
"_id": "ZQJe_GkBGmfQmneQJD3j",
"_version": 1,
"_score": null,
"_source": {
"prospector": {},
"classname": "org.hibernate.util.JDBCExceptionReporter",
"beat": {},
"@version": "1",
"Loglevel": "ERROR",
"timestamp": "2019-03-11 09:12:16,070",
"Error": "ORA-28144: Echec de l'exécution du gestionnaire d'audit détaill",
"@timestamp": "2019-04-08T09:51:57.219Z",
"msg": "é",
"log": {
"file": {},
"flags": [
"multiline"
]
},
"input": {},
"host": {
"os": {}
}
},
"fields": {
"@timestamp": [
"2019-04-08T09:51:57.219Z"
]
},
"sort": [
1554717117219
]
}
it should look like this :
{
"timestamp": [
"2019-03-11 11:12:40,670"
],
"Loglevel": [
"ERROR"
],
"classname": [
"org.hibernate.util.JDBCExceptionReporter"
],
"Error": [
"ORA-28144: Echec de l'exécution du gestionnaire d'audit détaillé"
],
"msg": [
"\nORA-20417: ERROR SECURITY DATA\nORA-06512: à "GID_PRODUCTION.GID_SEC_AUDIT_PKG", ligne 39\nORA-06512: à ligne 1"
]
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.