stackoom
  简体   繁体   中英

logstash text file output configuration

 原文  2017-06-01 10:37:36       elasticsearch/ logstash/ logstash-grok/ logstash-configuration/ logstash-forwarder

Question

Hey i have a text file containing many lines each line contain 3 values separated by space: 

username email hash
username email hash
username email hash
username email hash
username email hash

i tried indexing the list with logstash using this config: 

    input {
        file {
                path => "/path/to/your/file.log"
                start_position => beginning
                sincedb_path => "/dev/null"
        }
}
filter {
        grok {
                match => {"message" => "%{WORD:username} %{WORD:email} %{WORD:hash}" }
        }
}
output {
        elasticsearch {
                hosts => ["localhost:9200"]
        }
}

my problem is that logstash index it like that: 

        {
  "_index": "logstash-2017.06.01",
  "_type": "logs",
  "_id": "AVxinqK5XRvft8kN7Q6M",
  "_version": 1,
  "_score": null,
  "_source": {
    "path": "C:/Users/user/Desktop/user/log.txt",
    "@timestamp": "2017-06-01T07:46:22.488Z",
    "@version": "1",
    "host": "DESKTOP-FNGSJ6C",
    "message": "username email password",
    "tags": [
      "_grokparsefailure"
    ]
  },
  "fields": {
    "@timestamp": [
      1496303182488
    ]
  },
  "sort": [
    1496303182488
  ]
}

and i want it to be like that: 

        {
  "_index": "logstash-2017.06.01",
  "_type": "db",
  "_id": "AVxinqK5XRvft8kN7Q6M",
  "_version": 1,
  "_score": null,
  "_source": {
    "username": "Marlb0ro",
    "email": "Marlb0ro@site.com",
    "hash": "123456",
}

what can i do to change it? any help will be apricated

2 answers

solution1
 1  2017-08-09 10:16:49

There is a parsing error when I try test your grok in http://grokconstructor.appspot.com . Since space is the delimiter, I tried using NOTSPACE for the username and email: 

%{NOTSPACE:username} %{NOTSPACE:email} %{WORD:hash}

solution2
 0  2017-10-23 08:54:35

I am pretty sure that your grok parser won't work. Because the pattern "Word" won't match for a Hash or EMail Adress.

You can check their pre defined patterns on their github page ( here )

There is an "EMAILADDRESS" pattern and for the hash I would use "Username".

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question logstash file input configuration Grok pattern for logstash configuration file logstash index a text file logstash elastic search output configuration based on inputs Logstash email output plugin configuration error? logstash filter add text to output Logstash configuration file error(Answer not working) Logstash output from filebeat. What is 'index' configuration option? sending different output using same logstash file Appending to file not showing up on logstash or elasticsearch output
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM