Hi everybody,

newbee question:
I use grok filtering to parse Cisco syslog file. Has you see in the capture screen i create new field with the end "_dan" . But thoses fiels are not index. I cannot find the way to index these fields.

Need help how to do it .

Thanks

What does the mapping for the index look like?

Hi Mark,

Thanks for your reply.

First, i am newbie at this and have poor knowledge on indexing (sorry for that).

I use filebeat to read a syslog file and transfer to logstash.
In logstash, i use grok for filtering and a pattern file for my *_dan fields.

I hope I give you the right info

Here is i think you want

Daniel Trudel

HI found my problem
Everything is o.k.

need this in logstash conf file "output section"

output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
manage_template => false
index => "filebeat-%{+YYYY.MM.dd}"
document_type => "log"
}
stdout { codec => rubydebug }
}

and create the filebeat index :
curl -XPUT 'http://127.0.0.1:9200/filebeat-2017.02.24' -d@/etc/filebeat/filebeat.template.json

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.