GROK custom pattern filter in logstash

2
votes

How to create a grok custom pattern filter in logstash? I want to create a pattern for http response status code here is my pattern code 

STATUS_CODE __ %{NONNEGINT} __

what I reaaly want to do is to have all of my web server hits with user IP and request http headers and payload and also web servers's response.

and here is my logstash.conf

input {

    file {
      type => "kpi-success"
      path => "/var/log/kpi_success.log"
      start_position => beginning
    }
}

filter {

  if [type] == "kpi-success" {

     grok {
        patterns_dir => ["./patterns"]
        match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:message} "}
     }

     multiline {
            pattern => "^\["
            what => "previous"
            negate => true
     }

     mutate{
          add_field => {
                "statusCode" => "[STATUS_CODE]"
              }
     }
  }
}

output {

    if [type] == "kpi-success" {
        elasticsearch {
            hosts => "elasticsearch:9200"
            index => "kpi-success-%{+YYYY.MM.dd}"
        }
    }
}
1
logstashelastic-stacklogstash-grok
Read the doc? - baudsp
yes I've already read the whole docs, but its not so clear - mhndev
Can you provide some sample lines of the log you're trying to process? - niglesias

1 Answers

1
votes

You don't have to use a custom pattern file, you can define a new one directly in the filter.

grok {
   match => { "message" => "(?<STATUS_CODE>__ %{NONNEGINT} __)"}
}