Split problem in logstash

abu.sayeed · August 10, 2017, 4:27am

my logstash.conf

filter {
mutate {
remove_field => [ "type", "tags", "input_type", "@version", "beat", "offset"]
}
}

my discovery logs format:

@timestamp:August 8th 2017, 13:45:54.424 host:vNTDACLSnTALK01 source:/home/local/group/nazdaq/logs/naztech.log message:[INFO ] Status => SENT | client : [MTB] | cell : [1746710009] | message-delivery-time : [2017-08-07 09:46:27,807] | Operator: [GP]

Available field:
@timestamp
message
host message
source

I need available field:
@timestamp
message
host message
source
status
client
operator

What can I do? Please anybody help me.
thanks

magnusbaeck · August 10, 2017, 6:01am

Change your grok filter so it lists two expressions instead of one (there's an example in the grok filter docs). Let the first expression be a copy if your current expression but with %{GREEDYDATA:syslog_message} replaced with a more specific expression that extracts the fields you want. If you do this, Logstash will try to match against the first expression and as a fallback try the more generic expression (because presumably not all log messages will be of the type contaiing status, client, and operator).

abu.sayeed · August 10, 2017, 7:35am

filter {
mutate {
remove_field => [ "type", "tags", "input_type", "@version", "beat", "offset"]
add_field => [ "status", "client", "operator", "message_delivery_time"]
}
}

log_format
@timestamp:August 8th 2017, 13:45:54.424 host:vNTDACLSnTALK01 source:/home/local/group/nazdaq/logs/naztech.log message:[INFO ] Status => SENT | client : [MTB] | cell : [1746710009] | message-delivery-time : [2017-08-07 09:46:27,807] | Operator: [GP] operator:message_delivery_time status:client

available_field:
t @timestamp
t message
t host message
t source
? operator
? status

But I need:

log_format
@timestamp:August 8th 2017, 13:45:54.424 host:vNTDACLSnTALK01 source:/home/local/group/nazdaq/logs/naztech.log message:[INFO ] Status => SENT | client : [MTB] | cell : [1746710009] | message-delivery-time : [2017-08-07 09:46:27,807] | Operator: [GP] operator:[GP] status:sent client: MTB message_delivery_time:2017:32:30

t @timestamp
t message
t host message
t source
t operator
t status
t client
t message_delivery_time

I need help
thanks

system · September 7, 2017, 7:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can split discovery message field? Beats filebeat	8	5270	September 25, 2017
Is it possible to split discovery message field? Kibana	3	2262	September 10, 2017
Logstash filter customize Logstash	2	413	September 11, 2017
Could not split in multiline Logs in Logstash Logstash	4	872	July 12, 2018
Regarding Split filter in mutate Logstash	4	221	July 28, 2022

Split problem in logstash

Related topics