Removing fields from logstash

bharti · September 5, 2023, 7:26am

Can you please send me the syntax....am very new to elastic

chouben · September 5, 2023, 7:29am

If my assumption is correct that your logline ends up in message field:

You could also try something like:

match => { "message" => '^%{GREEDYDATA}"Status":"%{WORD:Status}"%{GREEDYDATA}$' }

You could try to parse the json messages "manually" via grok, but as indicated I would advise to use the json filter on the json message.. That implies you get the fields for free.

bharti · September 5, 2023, 7:30am

instead of grok right?

chouben · September 5, 2023, 7:30am

As indicated, you need to provide the required inputs. If you can't share them because they are confidential. This is the best I can do

bharti · September 5, 2023, 7:34am

beats_input_codec_plain_applied, _grokparsefailure

in the tag field the above output is showing

bharti · September 7, 2023, 5:20am

its working
thank you

bharti · September 7, 2023, 5:21am

one more question
i want to fetch multiple fields from message like status

bharti · September 7, 2023, 5:21am

how can i achieve this

bharti · September 7, 2023, 5:24am

[Debug] : 2023-09-05T08:59:40 -> [Response - {"abc":{"Service":{"Channel":{"HostIP":{"Status":"APPROVED" ,"Type":"AGENT"},
"Name":"abc.COM","Type":"AGENT"}}}}]

I want both status and Type in a separate fields
like:
Status APPROVED
Type AGENT

and so on

bharti · September 7, 2023, 5:26am

I am trying multiple ways but when it starts implementing, the logs stop loading on Kibana

chouben · September 7, 2023, 6:56am

Can you share your current approach? (filters in logstash)

bharti · September 7, 2023, 7:08am

input {
  beats {
    port => 5044
  }
}
filter {
    if "/var/log/abc.log"  in [log][file][path] {
      grok {
         match => { "message" => '^%{GREEDYDATA}"Status":"%{WORD:Status}"%{GREEDYDATA}$' }
      }

     grok {
        match => { "message" => '^%{GREEDYDATA}"type":"%{NUMBER:Type}"%{GREEDYDATA}$' }

     }
   }
}

currently am trying this ...but its not working

chouben · September 7, 2023, 7:32am

You are matching:

2 issues in your config:

"type" is not the same as "Type"
"AGENT" is not a number

Beside that, your sample also contains multiple "Type" fields. So might be tricky to get the right one with the grok approach..

bharti · September 7, 2023, 7:39am

multiple "Type" fields as in?

bharti · September 7, 2023, 7:50am

hey... it's working thanks
Tell me one thing....if the type is both number and word,so what will be the type
like for text we use WORD, for integers we use NUMBER
So what will be the type of varchar

chouben · September 7, 2023, 7:57am

Your sample contains:
{"Status":"APPROVED" ,"Type":"AGENT"}
"Name":"abc.COM","Type":"AGENT"}

chouben · September 7, 2023, 8:00am

Take a look at:

Which points via the predefined grok patterns link to:

github.com

elastic/elasticsearch/blob/main/libs/grok/src/main/resources/patterns/legacy/grok-patterns

USERNAME [a-zA-Z0-9._-]+
USER %{USERNAME}
EMAILLOCALPART [a-zA-Z][a-zA-Z0-9_.+-=:]+
EMAILADDRESS %{EMAILLOCALPART}@%{HOSTNAME}
INT (?:[+-]?(?:[0-9]+))
BASE10NUM (?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
NUMBER (?:%{BASE10NUM})
BASE16NUM (?<![0-9A-Fa-f])(?:[+-]?(?:0x)?(?:[0-9A-Fa-f]+))
BASE16FLOAT \b(?<![0-9A-Fa-f.])(?:[+-]?(?:0x)?(?:(?:[0-9A-Fa-f]+(?:\.[0-9A-Fa-f]*)?)|(?:\.[0-9A-Fa-f]+)))\b

POSINT \b(?:[1-9][0-9]*)\b
NONNEGINT \b(?:[0-9]+)\b
WORD \b\w+\b
NOTSPACE \S+
SPACE \s*
DATA .*?
GREEDYDATA .*
QUOTEDSTRING (?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
# URN, allowing use of RFC 2141 section 2.3 reserved characters

This file has been truncated. show original

The second link contains all predefined grok patterns.
If you need to match alphanumeric characters, you need to chose the appropriate pattern OR you define a custom pattern yourself.

bharti · September 8, 2023, 5:08am

The link is really helping me a lot.....
one question -
My logs' timestamp format is DD-MM-YYYY HH:MM:SS (08-09-2023 10:38:43AM)

so what will be the type
I looked in link but its not in the above format

bharti · September 8, 2023, 5:16am

{"Name":"txn_no","Value":"FT23217XT7DM"}

and for this JSON I need a field as
txn_no FT23217XT7DM
like this
How can I do this

bharti · September 8, 2023, 5:37am

{"Name":"txn_no","Value":"FT23217XT7DM"}

and like this, there is multiple name and values
like
{"Name":"txn_no","Value":"FT23217XT7DM"},{"Name":"txn_channel","Value":"AGENT"},{"Name":"debit_account_number"},{"Name":"credit_account_number"}

so I want to fetch each value in their respective names

Topic		Replies	Views
How to remove the fields Logstash	4	810	December 29, 2021
Remove unused Kibana fields/filters Logstash	3	987	April 25, 2019
Unable to remove field form nested object during mutate Logstash	4	12956	July 6, 2017
Need help how to remove unwanted fields logstash Logstash	2	995	May 11, 2022
Can't remove fields in logstash 5.2.2 Logstash	5	805	April 12, 2017

Removing fields from logstash

Related topics