Simple parsing in logstash

Beuhlet_Reseau · March 6, 2017, 3:36pm

Hey !

I have a question

Imagine a log file that has different lines than :
Nick,connect,11:00,appli1
Pablo,disconnect,,

My pattern is

%{WORD:name}[;]%{WORD:action}[;]%{DATA:time}[;]%{WORD:application}

in the first case, the pattern is ok ! BUT in the second case, the line doesn't match.

Empty fields are the problem I think ?
How can I make sure that my pattern adapt when the fields are empty?

Christian_Dahlqvist · March 6, 2017, 3:40pm

Grok is great, but not necessarily the best filter for all types of data. In your case it might be easier to use the csv filter.

Beuhlet_Reseau · March 7, 2017, 9:07am

Ok i don't know csv filter, do you explain me or show me an example with my data ?

Beuhlet_Reseau · March 7, 2017, 9:20am

filter {
     csv {
       [ "name", "action", "date", "application" ]
       separator => ","
       convert => {"name" => "word", "action" => "word", "application" => "word"}
         }

     date {
       match => [ "datelog", "UNIX" ]
       remove_field => ["datelog"]
             }
       }

Somethings like it ?

Beuhlet_Reseau · March 7, 2017, 9:22am

In which cases to use grok or csv ?

I also heard about multiline.

If you are the time @Christian_Dahlqvist , i will be very happy if you explain me with use case.

Christian_Dahlqvist · March 7, 2017, 12:50pm

Which filter you use depends on the format of the data. In this case it seems like a natural fit for the csv filter. Sometimes you can also combine multiple filters, e.g. first separate out sections of the log using grok and then applying other filters to the various parts.

The csv filter parses everything as strings, so I do not know what you are trying to achieve with your convert statement. I also do not see any field named date log being extracted, so suspect your date filter may fail.

Beuhlet_Reseau · March 9, 2017, 10:05am

@Christian_Dahlqvist Thank you ! CSV filter is easier to use than grok (who ask value type ect....)

I have a question about csv filter !

 if [type] == "test_edr" {
      csv {
        columns => [ ".,..,..,..,.." ]
        separator => ","
          }

Whats delete line header ? With an If or somethings like it ?

Tooo I try to convert fields, I have try this :

mutate {
  convert => { "edr_UsedTotalOctets" => "integer", "edr_GrantedTotalOctets" => "integer", "edr_Usage-Limit" => "integer" }
       }

Maybe i must declare somes mutate for one field ?

It's doesn't work.

Thank for your help @Christian_Dahlqvist

Christian_Dahlqvist · March 9, 2017, 12:57pm

The csv filter parses all fields as strings, so you will need to convert field types. There is no special handling of a header line, so what I often do when I have csv files with a header is to drop the record if I see that one of the fields parsed contains the expected header title (assuming I know no data lines has this value).

You say that it is not working, but not what is wrong. For us to be able to help, please show an example raw event as well as the result of the processing when you output this to the stdout plugin with a rubydebug codec.

system · April 6, 2017, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Request help with a grok filter pattern for date Logstash	3	542	July 6, 2017
Need help with the grok and the date filter for parsing logs Logstash	29	2720	July 25, 2017
Parse string data with ; separator in logstash Logstash	6	6005	June 27, 2017
Logstash date extraction help Logstash	3	612	December 26, 2016
Logstash Date Filter Not Recognizing the pattern Logstash	2	376	February 12, 2019

Simple parsing in logstash

Related topics