Parsing custom field with logstash

mohsin106 · February 27, 2017, 2:17pm

Hi,

I have a log file that I need to parse. I'm forwarding the log from a remote server using FileBeat. My log file content looks like this:

ip address, data (characters and numbers).

My logstash conf file looks like this:

input {
beats {
port => "5043"
}
}

filter {
geoip {
source => "message"
}
}

output {
elasticsearch {
hosts => ["10.10.10.10:9200"]
index => "test"
}
}

I can see my log data using Kibana under the "test" index. My log content is inside the message field. I'm familiar with REGEX but what is the syntax that I need to add to my logstash conf file that will allow me to create custom fields for IP or anything else? I'd like to be able to see an IP field when looking in Kibana as I see the message field.

Thanks,
Mo

mohsin106 · February 27, 2017, 5:31pm

Just kidding, its working!

I was looking at the wrong index

Works much better if you look at the right index in Kibana!

system · March 27, 2017, 5:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.