Hi,
I'm pretty new to Logstash, and I'm trying to evaluate it to see if it will do what I'd like to do.
I'm starting with logs that are partially log4j, but also include lines that aren't log4j, so a straight log4j filter won't work. I don't care about most of the information in log4j format anyway.
I want to do a number of things that would be pretty easy to accomplish with grep, but I can't tell if I'm thinking about them properly for using Logstash:
- Pluck the numeric values out of a line like "Success on 567 records and failure on 34" and associate them with keys.
- I have a bunch of lines like " = " - I'd like to associate those in my eventual output as "statistic" => "value". I can't tell if this is something for grok or for the kv filter.
- Count the number of log4j ERROR lines in the file (is this an aggregate filter use case, or can you do this with metric somehow?)
- Count the number of different types of log4j errors
Right now I've created a filter (which I've included) where I'm trying to grok out two different types of lines. That part works ok. I'm also trying to change the line where I'm groking out the statistic and value fields separately and combine them into one field. That part doesn't work.
filter {
grok {
match => { "message" => [
"\s*%{WORD:statistic} = %{WORD:value}",
"Success on %{NUMBER:successRecords} records and failure on %{NUMBER:failRecords}."
]}
}
if [statistic] {
grok {
add_field => { "%{statistic}" => "%{value}" }
remove_field => [ "statistic", "value" ]
}
}
}
I could probably get this to work eventually, but what I really want to know is if I'm going about this all wrong to start with, and if I'm just not understanding how and whether I should use Logstash for this problem I'm trying to approach.
Would greatly appreciate thoughts of more experienced people!