Someone please clarify me on my configuration

Raja1 · April 27, 2017, 3:59am

Hi All,

I am getting bit confusion on type,field. Could you please someone confirm me by checking below configuration.

My intention is to create the index by environment wise and remove some fields from the output. Please have a look and clarify me if any mistakes.

input
{
file
{
path => "/etc/logs/POClogs/.log"
add_field => {"environment": "POC"}
start_position => "beginning"
}
{
path => "//etc/logstash/Devlogs/.log"
add_field => {"environment": "DEV"}
start_position => "beginning"
}
}
filter
{
grok
{
match => {"message" => "[%WARNING,%INFO]%{GREEDYDATA}[%WARNING]"}
add_field => { "ApplicationName" => "Devapp" }
add_field => { "ApplicationName" => "POCapp" }
remove_tag => ["_grokparsefailure"]
remove_field => ["clientHostname"]
remove_field => ["_type"]
remove_field => ["_score"]
}
}
output
{
if [type] == "Devlog"
{
elasticsearch
{
hosts => ["x.x.x.x:9200"]
index => "Devlog-%{+YYYY.MM.dd}"
}
}
else if [type] == "POClog"
{
elasticsearch
{
hosts => ["x.x.x.x:9200"]
index => "POClog-%{+YYYY.MM.dd}"
}
}
else
{
elasticsearch
{
hosts => ["x.x.x.x:9200"]
}
stdout { codec => rubydebug }
}
}

Regards
Raja

magnusbaeck · April 27, 2017, 5:22am

I don't see you ever setting the type field to anything so your conditions won't work as expected.

add_field => {"environment": "POC"}

Wrong syntax; use => and not :.

grok
{
match => {"message" => "[%WARNING,%INFO]%{GREEDYDATA}[%WARNING]"}
add_field => { "ApplicationName" => "Devapp" }
add_field => { "ApplicationName" => "POCapp" }
remove_tag => ["_grokparsefailure"]
remove_field => ["clientHostname"]
remove_field => ["_type"]
remove_field => ["_score"]
}

What's the point of this filter? You're not capturing any fields in the grok expression and you're deleting a number of fields that'll never exist at that point in the pipeline.

Raja1 · April 27, 2017, 5:31am

Thank you magnus.

I did the changes in my configuration and now it is working as expected.
But i have different folders having logs so how would i configure and also how can i make the index for each.

Ex: /etc/dev/.log
/etc/uat/.log
/etc/int/*.log

I want to set the index for each folder location so that i can able to find environment wise logs. Write now my configuration for only one file path like below. Please guide me to complete this.

input
{
file
{
path => ["/etc/Dev/*.log"]
codec => multiline {
pattern => "[%WARNING,%INFO]%{GREEDYDATA}[%WARNING]"
negate => "true"
what => "previous"
}
sincedb_path => "/dev/null"
start_position => beginning
ignore_older => 0
}
}
filter
{
grok
{
match => {"message" => "[%WARNING,%INFO]%{GREEDYDATA}[%WARNING]"}
}
}
output
{
elasticsearch
{
hosts => ["x.x.x.x:9200"]
action => "index"
}
stdout {codec => rubydebug }
}

magnusbaeck · April 27, 2017, 5:38am

I want to set the index for each folder location so that i can able to find environment wise logs.

One index per environment is most likely a bad idea. If you're doing this only to be able to distinguish different kinds of logs just use another field for that. Like the environment field in the configuration you posted previously.

Write now my configuration for only one file path like below.

Why not follow the pattern from the previous post? Apart from what I wrote it looked fine.

grok
{
match => {"message" => "[%WARNING,%INFO]%{GREEDYDATA}[%WARNING]"}
}

Again, what's the purpose of this filter?

Raja1 · April 27, 2017, 5:47am

Sorry it should be removed from my conf.

Actually my logs are starting with some status message like WARNING,INFO,FATAL i.e., i used multiline pattern.

How could i run mutiple conf files in single shot. Will that recommended to create multiple configuration files?

Raja1 · April 27, 2017, 7:08am

I am getting below error after adding the add_field. Please help me to resolve.

Cannot load an invalid configuration {:reason=>"Expected one of #, => at line 7, column 36 (byte 124) after input\n{\nfile\n{\n path => ["/etc/logstash/INTlogs/*.log"]\n type => "INTlog"\n add_field => {"environment"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:139:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:277:in create_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:95:inregister_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:264:in execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:inrun'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:183:in run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:inrun'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}

Raja1 · April 27, 2017, 7:12am

resolved this issue...small mistake in configuration.

Now i need to know executing multiple configuration files.

system · May 25, 2017, 7:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error in Parsing logs Elasticsearch	2	612	January 11, 2019
Clarification on if/else behavior in output Logstash	3	379	October 21, 2019
Incorrect type of field in index from Logstash, why? Logstash	9	425	March 17, 2021
Output IF ELSE configuration error Logstash	8	35827	July 6, 2017
Logstash configuration returns different results Logstash	15	1378	August 13, 2019

Someone please clarify me on my configuration

Related topics