Problem while using dissect plugin to parse logs

RamyaGowda · June 26, 2018, 4:44am

Hi

i have a requirement of parsing netstat logs using logstash, sample logs looks like bellow:

the logstash configuration which i tried is here:

input {
file
{
path => "/home/samplelog"
start_position => "beginning"
}
}

filter {
dissect {
mapping => {
"message" => "TIME: %{time}
%{}"
}
}

if [message] =~ /^\s+(TCP|UDP)/ {
dissect {
mapping => {
"message" => "%{?tmp->} %{Protocol->} %{localAdd->} %{Foreign Address->} %{state}"
}
}
} else {
drop {}
}

}

output
{
if "_grokparsefailure" not in [tags]
{
elasticsearch {
hosts => ["localhost:9200"]
index => "anyindex"
}
}

stdout { codec => rubydebug }
}

resulted outcome from above configuration is :

{
"Protocol" => "TCP",
"localAdd" => "",
"time" => "",
"path" => "/home/avk03/JarAndZip/jar-file/config/logstash-6.1.1/Logs/try.txt",
"state" => " 0.0.0.0:445 0.0.0.0:0 LISTENING",
"@timestamp" => 2018-06-15T10:08:19.779Z,
"@version" => "1",
"message" => " TCP 0.0.0.0:445 0.0.0.0:0 LISTENING",
"host" => "avk03-Vostro-3800",
"Foreign Address" => ""
}

the parser is not reading lines Which contains TIME data, i am not able to resolve this issue please help.

Christian_Dahlqvist · June 26, 2018, 5:50am

The pattern for the TIME field has a newline in it. If you are not using multiline codec and split as described in this thread it will not work as all lines will be processed separately and therefore not contain any newline.

RamyaGowda · June 26, 2018, 9:53am

Yes i got where i did mistake now after using multiline codec and split filter, parser is working fine.

@timestamp": "2018-06-26T07:50:10.161Z",
"Foreign Address": "0.0.0.0:0",
"message": " TCP 0.0.0.0:10 0.0.0.0:0 Ramya",
"localAdd": "0.0.0.0:10",
"tags": [
"multiline"
],
"Protocol": "TCP",
"@version": "1",
"host": "avk03-Vostro-3800",
"path": "/home/avk03/JarAndZip/jar-file/config/logstash-6.1.1/Logs/abc",
"state": "ESTABLISHED",
"time": "16:14:30.13"

Now i have to convert above time to date object using date filter, is it possible only for time in logstash ?? Please reply

system · July 24, 2018, 9:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash dissect plugin prase doesn't correct with empty field in content Logstash	6	1599	November 30, 2017
Grok help not getting data Logstash	3	111	June 2, 2024
Dissector mapping, pattern not found in Logstash Logstash	8	1279	February 17, 2021
How to use Dissect to handle a newline Logstash	3	785	March 26, 2019
Grok filter issue with data on Logstah config Logstash	4	307	June 7, 2019

Problem while using dissect plugin to parse logs

Related Topics