I am using logtsash grok filters for extracting useful information from the log files.
I specifically need to extract recurring stopwatch lines from the log file info.
My grok filter does match the first set of stopwatch lines in my log file and parses it but it skips the rest of the log content where there are multiple stopwatch lines and they just appear in the message body.
My grokstash pattern is something like
"message" => "%{DATESTAMP:endTime}%{SPACE}%{WORD}%{SPACE}%{NUMBER}%{SPACE}---%{SPACE}[%{NOTSPACE}]%{SPACE}-%{WORD}"
My logfile content is
2019-06-17 13:49:20.761 INFO (pattern i want to extract)........
2019-06-17 13:49:20.761 INFO (pattern i want to extract)........
My pattern captures the first line and structures into variable names i give in the grok. But it skips the next line and moves it to the message body.
The problem is not with the logstash. While I try to run the ELK stack on local, my grok filter applies its pattern to all log lines and create multiple structured fields in elastic search.
But when I try to do it on server where filebeat is pushing multiple logfiles from differen servers to one logstash server, the problem occurs.
The problem is that my filter parses information correctly but it leaves out some of the log lines which matches the filter and filters out only a few. I don't know why.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.