Split CSV data from beats

millerb1 · March 5, 2018, 10:41pm

We are new to ELK and need help with our Log Stash filter. We don’t need to filter any rows, just separate the data into their respective columns and use the Timestamp column as a Timestamp

[2018-03-05 15:26:36.456]|-420|DEBUG|C001|row: 1|my useful message
[2018-03-05 15:29:05.137]|-420|INFO|C042|emp: 1002|another useful log message

What I have so far:
input {
beats {
host => "localhost"
port => "5044"
}
}

filter {
csv {
columns => ["TimeStamp","UtcOffset","Level","Code","Reference","Message"]
separator => "|"
skip_empty_columns => "true"
}
}

output {
elasticsearch {
hosts => "localhost:9200"
index => "PSS_Log_%{+YYYY.MM.dd}"
}

stdout { }

}

tag_v · March 6, 2018, 5:46am

With csv filter you wrote can do this.

date {
    match => ["TimeStamp", "TIMESTAMP_ISO8601"]   // This will match timestamp and put in @timestamp field
  }

If you want to remove from Timestamp field you can use gsub to remove them before applying date filter.

system · April 3, 2018, 5:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Logstash CSV filter best practices Beats filebeat	3	884	March 15, 2020
Unable to parse CSV input from Filebeat -> Logstash Logstash	3	1755	April 30, 2019
Multiple input for Logstash from filebeat Logstash	11	2636	July 6, 2017
CSV Timstamp issues Logstash	20	3036	July 6, 2017
All csv columns are saved inside message field Logstash	2	392	July 1, 2020

Split CSV data from beats

Related topics