Parsing typical logback log lines

gaukharaya · January 30, 2018, 4:47pm

Hi,

I am trying to send the following format log line from filebeat 6 to es6:
%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n

In my prospectors I specify:

type: log

Looking at fields.xml the default log fields do not contain fields described in the above log line, from forum posts from '16 it looks like input-type: log used to be able to parse the typical logback log lines.

In the latest filebeat though I see a lot of fields I do not need such as offset, beat.name, beat.version etc.

Can I modify fields.xml to extact the fields like thread, logger and level or is there a default module that let's me do that out of the box?

Thank you very much in advance!

steffens · January 30, 2018, 5:25pm

Filebeat is not doing any parsing for you. Do you use logstash or Elasticsearch ingest node for parsing?

Some fields (like offset) can be removed using the drop_fields or include_fields processors.

The fields.yml file only specifies the mapping of fields (essentially defines schema of beats events), but does not configure the fields to be exported.

system · February 27, 2018, 5:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exported fields in filebeat processors Beats filebeat	2	1137	March 13, 2017
Parsing logback log files with filebeat and sending them to Elasticsearch Beats	15	26161	July 5, 2017
Filebeat didn't drop some of the fields Beats filebeat	2	3993	June 19, 2017
Filebeat with LogstashXML parser Logstash	8	510	September 11, 2018
Fields merging in 6.0 differs from 5.x Beats filebeat	4	559	December 29, 2017

Parsing typical logback log lines

Related Topics