I have a log from which i need to extract the state field and generate a bar graph for the state transitions that the logs have gone through for a given NexthopId. Please help me with this scenario.
LOGS:
2020-03-06 09:36:50.775744749 re0:ndp:25786 lltp_debug message = "NDP-DBG:NC_FSM_HANDLER:1634:: state 4, event 0, NexthopId 44000"
2020-03-06 09:36:51.548239404 re0:ndp:25786 lltp_debug message = "NDP-DBG:NC_FSM_HANDLER:1634:: state 5, event 3, NexthopId 44001"
2020-03-06 09:36:52.778379389 re0:ndp:25786 lltp_debug message = "NDP-DBG:NC_FSM_HANDLER:1634:: state 5, event 0, NexthopId 44001"
2020-03-06 09:36:52.801907464 re0:ndp:25786 lltp_debug message = "NDP-DBG:NC_FSM_HANDLER:1634:: state 7, event 4, NexthopId 44001"
Here is my logstash config file:
input {
file {
path => ["/home/hari/ndppro/ndp2a.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
grok
{
break_on_match => false
pattern_definitions => { "mssg" => "((Msg|message|Message|message1|message2) [=])" }
match => {
"message" => ["%{TIMESTAMP_ISO8601:timestamp} %{WORD:node}:%{WORD:program}:%{INT:pid} %{WORD:tracetype}.*%{mssg} "%{GREEDYDATA:Message}""]
"Message" => ["NexthopId %{WORD:next_hop_id}", "state %{WORD:state}", "event %{WORD:event}"]
}
}
mutate
{
remove_field => [ "message" ]
}
translate {
field => "[state]"
destination => "[state_name]"
dictionary => {
"0" => "Unknown"
"1" => "No state"
"2" => "Unreachable"
"3" => "Incomplete"
"4" => "Reachable"
"5" => "Stale"
"6" => "Delay"
"7" => "Probe"
}
fallback => "Invalid state"
}
translate {
field => "[event]"
destination => "[event_name]"
dictionary => {
"0" => "NC6_TIME_EXP"
"1" => "NC6_RS_IN"
"2" => "NC6_RA_IN"
"3" => "NC6_NS_IN"
"4" => "NC6_SOL_NA_IN"
"5" => "NC6_UNSL_NA_IN"
"6" => "NC6_NUD_HINT"
"7" => "NC6_RT_ADD"
"8" => "NC6_RT_DELETE"
"9" => "NC6_ND6_FREE"
"10" => "NC6_L2IFL_DOWN"
"11" => "NC6_MAC_MOVE"
"12" => "NC6_IFL_DOWN"
"13" => "NC6_RT_CHANGE_TO_TIMER"
"14" => "NC6_RT_CHANGE_TO_PERM"
"15" => "NC6_RT_CHANGE_MAC"
"16" => "NC6_PKT_OUT"
}
fallback => "Invalid event"
}
}
output {
elasticsearch{
hosts => ["localhost:9200"]
}
}