Split problem in logstash

abu.sayeed · August 10, 2017, 4:27am

my logstash.conf

filter {
mutate {
remove_field => [ "type", "tags", "input_type", "@version", "beat", "offset"]
}
}

my discovery logs format:

@timestamp:August 8th 2017, 13:45:54.424 host:vNTDACLSnTALK01 source:/home/local/group/nazdaq/logs/naztech.log message:[INFO ] Status => SENT | client : [MTB] | cell : [1746710009] | message-delivery-time : [2017-08-07 09:46:27,807] | Operator: [GP]

Available field:
@timestamp
message
host message
source

I need available field:
@timestamp
message
host message
source
status
client
operator

What can I do? Please anybody help me.
thanks

magnusbaeck · August 10, 2017, 6:01am

Change your grok filter so it lists two expressions instead of one (there's an example in the grok filter docs). Let the first expression be a copy if your current expression but with %{GREEDYDATA:syslog_message} replaced with a more specific expression that extracts the fields you want. If you do this, Logstash will try to match against the first expression and as a fallback try the more generic expression (because presumably not all log messages will be of the type contaiing status, client, and operator).

abu.sayeed · August 10, 2017, 7:35am

filter {
mutate {
remove_field => [ "type", "tags", "input_type", "@version", "beat", "offset"]
add_field => [ "status", "client", "operator", "message_delivery_time"]
}
}

log_format
@timestamp:August 8th 2017, 13:45:54.424 host:vNTDACLSnTALK01 source:/home/local/group/nazdaq/logs/naztech.log message:[INFO ] Status => SENT | client : [MTB] | cell : [1746710009] | message-delivery-time : [2017-08-07 09:46:27,807] | Operator: [GP] operator:message_delivery_time status:client

available_field:
t @timestamp
t message
t host message
t source
? operator
? status

But I need:

log_format
@timestamp:August 8th 2017, 13:45:54.424 host:vNTDACLSnTALK01 source:/home/local/group/nazdaq/logs/naztech.log message:[INFO ] Status => SENT | client : [MTB] | cell : [1746710009] | message-delivery-time : [2017-08-07 09:46:27,807] | Operator: [GP] operator:[GP] status:sent client: MTB message_delivery_time:2017:32:30

t @timestamp
t message
t host message
t source
t operator
t status
t client
t message_delivery_time

I need help
thanks

Topic		Replies	Views
How can split discovery message field? Beats filebeat	8	5334	September 25, 2017
Logstash filter customize Logstash	2	427	September 11, 2017
Removing fields from logstash Logstash	67	3538	October 6, 2023
How to extract rows with logstash Logstash	12	1351	December 4, 2017
Spliting log message Logstash	2	340	March 2, 2018

Split problem in logstash

Related topics