Skip to content

Instantly share code, notes, and snippets.

@alexandrem

alexandrem/Debug output from logstash

Created November 19, 2012 16:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alexandrem/4111770 to your computer and use it in GitHub Desktop.
Save alexandrem/4111770 to your computer and use it in GitHub Desktop.
Download ZIP
Logstash filter using grok and multiline
Raw
Debug output from logstash
{"@source"=>"rendez-vous", "@tags"=>["multiline"], "@fields"=>{"thread_id"=>["2812"], "pid"=>["42122"], "loglevel"=>["DEBUG"]}, "@timestamp"=>"2012-11-19T16:39:22.302Z", "@source_host"=>"devsandbox", "@source_path"=>"/", "@message"=>"TrackingService::SendTag(), eventName = screenpagenavig, eventData = ", "@type"=>"rendezvous"}
Raw
issue with multiline
filter {
multiline {
type => "rendezvous"
pattern => "^#"
negate => true
what => "previous"
}
grok {
type => "rendezvous"
pattern => "#%{USERNAME:thread_id}\|%{NUMBER:pid}\|\[%{USERNAME:sandbox}\]\[%{LOGLEVEL:loglevel}\]\[%{TIMESTAMP_ISO8601:timestamp}\]%{GREEDYDATA:msg}"
}
date {
type => "rendezvous"
timestamp => "ISO8601"
}
mutate {
type => "rendezvous"
replace => [ "@source_host", "%{sandbox}" ]
replace => [ "@message", "%{msg}" ]
replace => [ "@source", "rendez-vous"]
}
mutate {
type => "rendezvous"
remove => [ "sandbox", "timestamp", "msg" ]
}
}
Raw
Original message in plain text
TrackingService::SendTag(), eventName = screenpagenavig, eventData =
{
"curscreen" : "Home",
"duration" : 16140,
"player" : 42122,
"prevscreen" : "Login"
}
@alexandrem
Copy link
Author

Full original message received (watch for double newlines):
#3228|42122|[devsandbox][DEBUG][2012-11-19T16:52:22.015Z]TrackingService::SendTag(), eventName = screenpagenavig, eventData =

{

"curscreen" : "Home",

"duration" : 18234,

"player" : 42122,

"prevscreen" : "Login"

}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment