Problem while using dissect plugin to parse logs

RamyaGowda · June 26, 2018, 4:44am

Hi

i have a requirement of parsing netstat logs using logstash, sample logs looks like bellow:

the logstash configuration which i tried is here:

input {
file
{
path => "/home/samplelog"
start_position => "beginning"
}
}

filter {
dissect {
mapping => {
"message" => "TIME: %{time}
%{}"
}
}

if [message] =~ /^\s+(TCP|UDP)/ {
dissect {
mapping => {
"message" => "%{?tmp->} %{Protocol->} %{localAdd->} %{Foreign Address->} %{state}"
}
}
} else {
drop {}
}

}

output
{
if "_grokparsefailure" not in [tags]
{
elasticsearch {
hosts => ["localhost:9200"]
index => "anyindex"
}
}

stdout { codec => rubydebug }
}

resulted outcome from above configuration is :

{
"Protocol" => "TCP",
"localAdd" => "",
"time" => "",
"path" => "/home/avk03/JarAndZip/jar-file/config/logstash-6.1.1/Logs/try.txt",
"state" => " 0.0.0.0:445 0.0.0.0:0 LISTENING",
"@timestamp" => 2018-06-15T10:08:19.779Z,
"@version" => "1",
"message" => " TCP 0.0.0.0:445 0.0.0.0:0 LISTENING",
"host" => "avk03-Vostro-3800",
"Foreign Address" => ""
}

the parser is not reading lines Which contains TIME data, i am not able to resolve this issue please help.

Christian_Dahlqvist · June 26, 2018, 5:50am

The pattern for the TIME field has a newline in it. If you are not using multiline codec and split as described in this thread it will not work as all lines will be processed separately and therefore not contain any newline.

RamyaGowda · June 26, 2018, 9:53am

Yes i got where i did mistake now after using multiline codec and split filter, parser is working fine.

@timestamp": "2018-06-26T07:50:10.161Z",
"Foreign Address": "0.0.0.0:0",
"message": " TCP 0.0.0.0:10 0.0.0.0:0 Ramya",
"localAdd": "0.0.0.0:10",
"tags": [
"multiline"
],
"Protocol": "TCP",
"@version": "1",
"host": "avk03-Vostro-3800",
"path": "/home/avk03/JarAndZip/jar-file/config/logstash-6.1.1/Logs/abc",
"state": "ESTABLISHED",
"time": "16:14:30.13"

Now i have to convert above time to date object using date filter, is it possible only for time in logstash ?? Please reply

system · July 24, 2018, 9:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dissect plugin reads too much into last field Logstash	1	417	February 25, 2018
Struggling with Grok/Dissect Logstash	2	273	October 24, 2019
Problem with parsing multiline filter plugin Logstash	17	1618	July 13, 2018
Logstash not parser correctly with dissect Logstash	2	273	October 13, 2019
Logstash dissect plugin prase doesn't correct with empty field in content Logstash	6	1601	November 30, 2017

Problem while using dissect plugin to parse logs

Related topics