Hello, i would like your opinions about a strangeness.
I have one log file who i have configured with filebeat & logstash.
It's OK. I can show the fields i want, create graph...
Next :
I added a new log file in the same directory.
I added prospector in filebeat :
filebeat.prospectors:
- input_type: log
paths:
- /home/Vol_rise_hour-C-FWK-BMA-EDR-2
document_type: vol_rise
- input_type: log
paths:
- /home/CA_po_hour-C-FWK-BMA-EDR-3
document_type: ca_po
I added if==type in logstash conf to take this new file :
filter {
if [type] == "vol_rise" {
grok {
match => { "message" => "%{DATA:date}[;]%{DATA:vol_rise_zones}[;]%{DATA:zone}[;]%{NUMBER:volume}" }
match => { "message" => "%{DATA:date}[;]%{DATA:vol_ent_total}[;]%{NUMBER:volumetot}" }
}
mutate {
convert => { "volume" => "integer" }
}
mutate {
convert => { "volumetot" => "integer" }
}
date {
match => [ "date", "YYYYMMddHHmmss" ]
}
}
if [type] == "ca_po" {
grok {
match => { "message" => "%{DATA:date}[;]%{DATA:compteur_ca_po}[;]%{DATA:type_cra}[;]%{DATA:zone_ca_po}[;]%{NUMBER:ca_po}" }
}
mutate {
convert => { "ca_po" => "integer" }
}
date {
match => [ "date", "YYYYMMddHHmmss" ]
}
}
}
Ok, any error.
I go to Kibana and i see the new lines of the second log file BUT any fields are recognized :
PS : If I uncheck the option "Hide missing fields", i see the fields i want. It's parse probleme in logstash you think ?