Good Afternoon,
I finally presented my final grade work with ELK, and i'm quite happy of the results. By the way, we're adding new features when it talks to data analysis and painting graphics.
One of the problems that i got stucked in is when logstash isn't able to parse an output larger than 255 bytes (maybe i'm wrong explaining it).
The thing, is that the output error says that Value is too large to output.
[WARN ] 2018-07-03 16:55:43.414 [Ruby-0-Thread-19@[main]>worker1: /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:385] grok - Timeout executing grok '%{IP:clientip} - "%{NOTSPACE:username}" [%{HTTPDATE:http_date}] "%{NOTSPACE:method} %{PATH:path} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NOTSPACE:bytes} "%{NOTSPACE:referrer}" %{QUOTEDSTRING:user_agent}' against field 'message' with value 'Value too large to output (352 bytes)! First 255 chars are: X.X.X.X - "user.name" [27/Jun/2016:23:56:03 +0200] "GET /forum/rss/recentTopics.page.key?KEY=xxxxxxxxxxxxxxxxxxx HTTP/1.1" 200 5661 "https://URLwithsensibledata" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKi'!
I've been looking for solutions into discuss.elastic.co, and many of them were because of the use of patterns like DATA or GREEDYDATA, or due to timeout wich i tried to change, and sometimes does work, and sometimes not.
My match => { "message" => looks like this:
match => { "message" => '%{IP:clientip} - "%{NOTSPACE:username}" [%{HTTPDATE:http_date}] "%{NOTSPACE:method} %{PATH:path} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} %{NOTSPACE:bytes} "%{NOTSPACE:referrer}" %{QUOTEDSTRING:user_agent}' }
At the beginning, i was using DATA, and GREEDYDATA. and tried to reduce them until i got none of it, i've been looking which of those i use are also expensive, and i think HTTPDATE is it quite, but not sure if this would be my error.
My question woul be, this warning "Value too large to output" is because of log size, or because 'timestamp' ? Should i use filebeat to parse this data?
Thank you very much,
Toni.