Hi,
I am kind of new to ELK. I have trouble in splitting up substring of a message into fields and my goal is to get active alarms from each host that would be (no. of alarms set - no of alarms cleared).
message field in kibana shows as :
{
"IP":22.33.44.55
"message": "<188>Sep 1 15:16:46.000 22.33.44.55 typed[1369]: Alarm set: License color=YELLOW, class=XYZ, reason=usage requires a license\n"
}
{
"IP":22.33.44.55
"message": "<188>Sep 1 15:29:04.000 22.33.44.55 typed[1350]: Alarm cleared: License color=YELLOW, class=XYZ, reason= usage requires a license\n"
}
/etc/logstash/conf.d/syslog.conf :
if [message] =~ "Alarm set" {
mutate {
add_field => {
"alarm" => "set"
}
}
mutate {
add_field => {
"alarmcount" => 1
}
convert => { "alarmcount" => "integer" }
}
}
if [message] =~ "Alarm cleared" {
mutate {
add_field => {
"alarm" => "cleared"
}
}
mutate {
add_field => {
"alarmcount" => -1
}
convert => { "alarmcount" => "integer" }
}
}
kv {
source => "message"
field_split => ","
value_split => "="
trim_key => " \t"
include_keys => [ "color", "class", "reason" ]
trim_value => ",\t"
}
}
Now that it shows in kibana as :
"alarm": "cleared",
"class": "XYZ"
"reason":"usage requires a license"
but i don't see color field. Can someone help me with this?
My end goal is to see these fields with respect to the IP and when i visualize it should show no. of active alarms which in this case is 0 as one alarm is set and cleared for same ip(so 0 alarms for ip :22.33.44.55) :
"alarm": "cleared/set",
"class": "XYZ",
"color": "YELLOW"
"reason":"usage requires a license"