i try extract data log4j message logstash. message :
method findall - start : bokc i extract method name : "findall" , user "bokc".
how can this?
i use logstash 1.5.2 , config :
input { log4j { mode => "server" type => "log4j-artemis" port => 4560 } } filter { multiline { type => "log4j-artemis" pattern => "^\\s" => "previous" } mutate { add_field => [ "source_ip", "%{host}" ] } }
use grok filter:
filter { grok { match => [ "message", "^method %{word:method} - start : %{user:user}" ] tag_on_failure => [] } } this extracts 2 words fields "method" , "user". setting of tag_on_failure makes sure non-matching messages aren't tagged _grokparsefailure. since messages aren't supposed match pattern doesn't make sense mark them failures.
Comments
Post a Comment