Nothing in filter block is being parsed. Why is only the filter not working in logstash?

Mehak_Bhargava · March 3, 2020, 1:44am

I tried adding mutate and add_filed along with grok filter but nothing is working. The logs are only parsed as default method.

#listening on this port
input {
  beats {
    port => 5044
  }
}

filter {
  if[fields][tags] =="ngta-web" { 
    mutate {
      add_field => { "host" => "%{[event_data][IpAddress]}" }
    }
    grok {
      break_on_match => false
      match => {
	"message" => [
	   "%{DATESTAMP:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{JAVACLASS:javaClass}%{GREEDYDATA:logmessage}"
         ]
      }
    }
  }
}
output {
    elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    ilm_enabled => false
    index    => "%{[fields][tags]}"  
  }
  stdout {
    codec => rubydebug
  }
}

rugenl · March 3, 2020, 2:24am

Include a sample from stdout. It would seem [fields][tags] is not "ngta-web".

Mehak_Bhargava · March 3, 2020, 2:31am

@rugenl
An index under this name is created-

yellow %{[fields][tags]}

And this is the sample of stdout that keeps on repeating in logstash terminal. And host isnt added in field and neither is timestamp, loglevel shown on kibana.

 },
      "@version" => "1",
       "message" => "08/10/2019 12:26:01 137   (null)                  INFO   23   Leftside Filter Expression : SubCategory=\"Audit/DES Keys\" AND SourceProblemName=\"Audit/DES Keys\" for User NBK7G0J Item Count : 4",
          "host" => {
        "name" => "mehak-VirtualBox"
    },
        "fields" => {
        "log_type" => "ngta-web"
    }
}
{
    "@timestamp" => 2020-03-03T02:29:35.855Z,
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
           "log" => {
        "offset" => 26032684,
          "file" => {
            "path" => "/home/mehak/Documents/filebeat-7.4.0-linux-x86_64/logs/log2.log"
        }
    },
           "ecs" => {
        "version" => "1.1.0"
    },
         "agent" => {
            "hostname" => "mehak-VirtualBox",
                  "id" => "bad135c8-d359-4936-b515-79eb4bb24630",
             "version" => "7.4.0",
                "type" => "filebeat",
        "ephemeral_id" => "f32e4213-4378-4811-b85e-50d327ab6846"
    },
      "@version" => "1",
       "message" => "08/10/2019 12:26:01 137   (null)                 DEBUG   23   Filter :  SubCategory=\"Card Reader\" ",
          "host" => {
        "name" => "mehak-VirtualBox"
    },
        "fields" => {
        "log_type" => "ngta-web"
    }
}

Mehak_Bhargava · March 3, 2020, 2:51am

The index worked by having correct name ngta-web and the filed host is also added. But the grok filter is still not working properly.
In my grok filter, I want to match a filename by the log file path and then apply different grok filters. For instance, my log file name is ngta_web.log and I want this log file to follow the first grok pattern if block, so I am making it match on the file name path. This is my updated grok-

filter {
  if[fields][tags] =="ngta-web" { 
    mutate {
      add_field => { "host" => "%{[event_data][IpAddress]}" }
    }
    grok {
      break_on_match => false
      match => {"log.file.path" => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log"}
      match => {
	"message" => [
	   "%{DATESTAMP:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{JAVACLASS:javaClass}%{GREEDYDATA:logmessage}"
         ]
      }
    }
  }
else if [fields][tags] == "ngta-app" {
  
    grok {
      break_on_match => false
      match => { 
	"message" => [
	   "%{DATESTAMP:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{JAVACLASS:javaClass}%{GREEDYDATA:logmessage}" 
 	]
      }
    }
  }
  else if [fields][tags] == "monitoring-app" {
  
     grok {
        break_on_match => false
        match => {
	   "message" => [
		"%{DATESTAMP:timestamp}%{SPACE}%{GREEDYDATA}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{JAVACLASS:javaClass}%{GREEDYDATA:logmessage}"
	    ] 
        }
     }
  }
}

Badger · March 3, 2020, 3:31am

You have a field called [fields][log_type], not [fields][tags].

Mehak_Bhargava · March 3, 2020, 3:41am

Yes I fixed this @Badger. But my issue now is that the filename I am trying to do search query on to apply grok filters. I try the match statement on log.file.path name and then apply grok filter respectively. Any idea if how I have the match and grok written right now is correct?

system · March 31, 2020, 3:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter not being applied but logstash logs being collected Logstash	10	1093	April 2, 2020
Grok filter not working after add tags Logstash	3	872	September 20, 2017
Grok filter isn't working but working in kibana grok debugger Logstash	1	189	May 9, 2023
Grok filter not working Logstash	2	442	December 18, 2020
Grok filter does not behave as I want it to Logstash	2	695	October 17, 2018

Nothing in filter block is being parsed. Why is only the filter not working in logstash?

Related Topics