how to generate new fields in logstash

1
votes

I need to generate the new fields (loglevel) using logstash,finally displaying in kibana.

log file format of Log4jNet log file

  1. How to extract this log and make the pattern using grok filter for this log.
  2. How to create the field of loglevel using logstash configuration.
2
logstashelastic-stack
The best way to start making grok patterns is with the grok debugger: grokdebug.herokuapp.comAlain Collins

2 Answers

0
votes

I found this page helpful when I was setting up my log4net filter. Based on what your logs look like, you'll end up with something like this (copied from that page):

filter {
  if [type] == "log4net" {
    grok {
      match => [ "message", "(?m)%{LOGLEVEL:level} %{TIMESTAMP_ISO8601:sourceTimestamp} %{DATA:logger} \[%{NUMBER:threadId}\]  \[%{IPORHOST:tempHost}\] %{GREEDYDATA:tempMessage}" ]
    }
    mutate {
        replace => [ "message" , "%{tempMessage}" ]
        replace => [ "host" , "%{tempHost}" ]
        remove_field => [ "tempMessage" ]
        remove_field => [ "tempHost" ]
    }
  }
}
0
votes

Yes, Now i got an answer. Please find the below configuration for creating new fields and filter some fields.

filter {
    multiline{
            pattern => "^%{TIMESTAMP_ISO8601}"
            what => "previous"
            negate=> true
        } 
    # Delete trailing whitespaces
      mutate {
        strip => "message"
      }    
    # Delete \n from messages
    mutate {
        gsub => ['message', "\n", " "]
    }  
    # Delete \r from messages
    mutate {
        gsub => ['message', "\r", " "]
    }

    grok { 
      match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{NUMBER:thread}\] %{LOGLEVEL:loglevel} %{JAVACLASS:class} - %{GREEDYDATA:msg}" } 
        }   
    if "Exception" in [msg] {
     mutate {
      add_field => { "msg_error" => "%{msg}" }
      }
    }
  }