Parse log file line by line

Elastic Stack Logstash
1

I have a log file with output repetitive below, I want to parse this log line by line in fields to extract the value for each line

10:31:07 2022/10/16 ZBXTRAP 192.168.23.2
PDU INFO:
  messageid                      0
  community                      public
  errorindex                     0
  transactionid                  2
  errorstatus                    0
  version                        1
  notificationtype               TRAP
  requestid                      646956120
  receivedfrom                   UDP: [192.168.23.2]:32768->[192.168.23.99]:162
VARBINDS:
  DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (3644796808) 421                                                            days, 20:26:08.08
  SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: SNMPv2-SMI::enterprises.6302                                                           .2.1.5.1
  SNMPv2-SMI::enterprises.6302.2.1.4.1.1 type=65 value=Counter32: 1280
  SNMPv2-SMI::enterprises.6302.2.1.4.1.2 type=4  value=Hex-STRING: 07 DE 08 07 0                                                           6 16 07 00 2B 00 00
  SNMPv2-SMI::enterprises.6302.2.1.4.1.3 type=2  value=INTEGER: 2
  SNMPv2-SMI::enterprises.6302.2.1.4.1.4 type=2  value=INTEGER: 3
  SNMPv2-SMI::enterprises.6302.2.1.4.1.5 type=4  value=STRING: "Mains Failure, its owner: Power System"
  SNMPv2-SMI::enterprises.6302.2.1.4.1.6 type=2  value=INTEGER: 78325

my logstash script that give a message field:

input {
  file {
    path => "/var/log/snmptrap/snmptrap.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline{
      pattern =>"%{DATE:date} %{TIME:time}"
      negate =>true
      what => "previous"
    }
  }
}
output {
        elasticsearch {
        hosts => ["127.0.0.1:9200"]
        }
}
2

If you want to parse it line by line you need to remove the multiline codec from your input.

This will make every line in the log you shared independent from each other.

3

I have a repetitive bloc with the same format of lines, how to have a entry in Kibana of each bloc if I suppress multiline codec?
i have used multiline codec to parse to message field in logstash,
how to parse message field

4

You could use grok. See this thread for an example.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.