New log file not parsed with the same config?

Elastic Stack Logstash
1

Hello, i would like your opinions about a strangeness.

I have one log file who i have configured with filebeat & logstash.

It's OK. I can show the fields i want, create graph...

Next :

I added a new log file in the same directory.

I added prospector in filebeat :

filebeat.prospectors:

- input_type: log
  paths:
      - /home/Vol_rise_hour-C-FWK-BMA-EDR-2
  document_type: vol_rise

- input_type: log
  paths:
     - /home/CA_po_hour-C-FWK-BMA-EDR-3
  document_type: ca_po

I added if==type in logstash conf to take this new file :

 filter {
  if [type] == "vol_rise" {
    grok {
      match => { "message" => "%{DATA:date}[;]%{DATA:vol_rise_zones}[;]%{DATA:zone}[;]%{NUMBER:volume}" }
      match => { "message" => "%{DATA:date}[;]%{DATA:vol_ent_total}[;]%{NUMBER:volumetot}" }
         }

    mutate {
     convert => { "volume" => "integer" }
           }

    mutate {
     convert => { "volumetot" => "integer" }
           }

   date {
     match => [ "date", "YYYYMMddHHmmss" ]
        }
                                  }

 if [type] == "ca_po" {
     grok {
       match => { "message" => "%{DATA:date}[;]%{DATA:compteur_ca_po}[;]%{DATA:type_cra}[;]%{DATA:zone_ca_po}[;]%{NUMBER:ca_po}" }
          }

     mutate {
       convert => { "ca_po" => "integer" }
          }

    date {
         match => [ "date", "YYYYMMddHHmmss" ]
          }
                        }
                              }

Ok, any error.

I go to Kibana and i see the new lines of the second log file BUT any fields are recognized :

PS : If I uncheck the option "Hide missing fields", i see the fields i want. It's parse probleme in logstash you think ?

2

Never mind what the available fields list in Kibana looks like. What do the events look like? Expand them in the main panel.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.