Hi All,
I have a nxlog tcp out marked towards Logstash,
Here's the input from nxlog
{"EventReceivedTime":"2020-01-21T03:01:37.025293-07:00",
"Severity":"INFO",
"EventTime":"2020-01-21T03:01:37.025296-07:00",
"Hostname":"ELK01",
"Message":"[Thu Mar 09 08:19:21 2017] [info] [client 10.34.10.2] login successful"}
{"EventReceivedTime":"2020-01-21T04:01:37.025293-07:00",
"Severity":"ERROR",
"EventTime":"2020-01-21T04:01:37.025296-07:00",
"Hostname":"ELK01",
"Message":"[Thu Mar 09 08:19:21 2017] [error] [client 10.34.10.2] Invalid method in request \x16\x03\x01"}
{"EventReceivedTime":"2020-01-21T05:01:37.025293-07:00",
"Severity":"ERROR",
"EventTime":"2020-01-21T05:01:37.025296-07:00",
"Hostname":"ELK01",
"Message":"[Thu Mar 09 08:19:21 2017] [error] [client 10.34.10.2] IO exception"}
Note that there is no separator between each input. and they aren't grouped within a single output also.
Now here is my logstash conf:
input { tcp { port => 8443 codec => json type => 'nxlog-json' } } output { elasticsearch { hosts => ["100.89.99.03"] index => "testnx" } stdout { codec => rubydebug } }
With the above even after codec being json, the data isn't getting split. It all falls in a single field - message.
For a different case, I have used the below for an API input where I was able to define everything:
> filter > { > json > { > source => "result" > } > split > { > field => ["result"] > }
where my data fields were ina common result set:
{"result":[ { .... ...."} , { .... .... }]}
Now in my new case, I dont have a common field where all my inputs land inside.
How do i apply filters according to my input?
Please help me.