使用带有Logstash的grok的自定义指标

Question

I'm trying to integrate some code into an existing ELK stack, and we're limited to using filebeats + logstash. I'd like to have a way to configure a grok filter that will allow different developers to log messages in a pre-defined format such that they can capture custom metrics, and eventually build kibana dashboards.

For example, one team might log the following messages:

metric_some.metric=2
metric_some.metric=5
metric_some.metric=3

And another team might log the following messages from another app:

metric_another.unrelated.value=17.2
metric_another.unrelated.value=14.2

Is there a way to configure a single grok filter that will capture everything after metric_ as a new field, along with the value? Everything I've read here seem to indicate that you need to know the field name ahead of time, but my goal is to be able to start logging new metrics without having to add/modify grok filters.

Note: I realize Metricsbeat is probably a better solution here, but as we're integrating with an existing ELK cluster which we do not control, that's not an option for me.

Answer 1

As your messages seems to be a series of key-value pairs, you can use the kv filter instead of grok .

When using grok you need to name the destination field, with kv the name of the destination field will be the same as the key .

The following configuration should work for your case.

filter { kv { prefix => "metric_" } }

For the event metric_another.unrelated.value=17.2 your output will be something like { "another.unrelated.value": "17.2" }