Develop Reference

Logstash, grok filter not working for fixed length fields

I am a newbie to logstash, I have an input file with fixed length fields and a config file for log stash configured with the regexp as shown below:
Contents of my log stash configuration file first-pipeline.conf
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input {
file {
path => "/Users/priya/sample.log"
start_position => beginning
}
}
filter {
grok {
match => ["message", "(?<RECORD_CODE>.{1})(?<SEQUENCE_NUMBER>.{6})(?<REG_NUMBER>.{12})(?<DATA_TYPE>.{3})"]
}
}
output {
stdout {}
}
Content of my sample.log file:
50000026311000920150044236080000000026
5000003631100092015005423608000000002
5000004631100092015006615054962
The output i get from log stash is:
priyas-MacBook-Pro:bin priya$ ./logstash -f first-pipeline.conf
Default settings used: Filter workers: 2
Logstash startup completed
Could someone please help me debug the issue and get it to working?
Thanks and regards,
Priya

I assume the problem in your case is not the grok expression itself but the way the file input is reading your test file.
The file input remebers where it last read from a logfile and continues reading from that position on subsequent runs (it stores this index in a special file called since_db). start_position => "beginning" only works for the first time you start logstash, on subsequent runs it will start reading from it last ended meaning you won't see any new lines in your console unless you a.) add new lines to your files or b.) manually delete the since_db file (sincedb_path => null is not working under windows, at least when I last tried).
So imho you should first make sure that your grok is working. To do is simply add the stdin input to your input section like this:
input {
stdin {
}
file {
path => "/Users/priya/sample.log"
start_position => beginning
}
}
Now you can manually create logstash events by simply typing in your console and pressing enter. These events will be parsed as regular logstash events and you will see the resulting json in your console as well (that's done by the stdout output fitler).
After you made sure your grok is working you can check wether or not logstash is picking up the file contents as you would expect it to. Restart logstash and add a new line of data to your /Users/priya/sample.log file (don't forget the newcline/CR at the end of the new line otherwise it wount be picked up). If logstash picks up the new line it should appear in your console output (because you added the stdout output filter).

Store Multiple Identical Results from Logstash

So, say I have an event coming into Logstash as a multiline object (there are many events that all basically match the pattern below):
Starting script at 2015-11-12 15:06 EST
Found result a at 127.0.0.1
Found result b at 127.0.0.1
Found result c at 0.0.0.0
Script ended at 2015-11-12 15:07 EST
How would I go about matching this in such a way as to store each of the "Found ..." lines separately?
My current config file is something like:
filter {
grok {
break_on_match => false
match => {
"message" => [
"Starting script at ${TIMESTAMP_ISO8601:run_time}",
"Found result %{GREEDYDATA:result} at ${IP:result_ip}"
]
}
}
}
As it stands, this only captures one of the "Found result..." lines. (That is, it matches them all, but only stores one of them - there's only one result variable output.) I'd like to individually capture them, and store them as an... well, anything, so long as they're all there.
Is there a way to capture multiple of the same pattern and store all of the resultant capture data distinctly, while keeping the whole multiline event together so that I can tie it to header data such as the script start time?

I think you can use the split filter to achieve what you want. It allows you to split one event into several parts. The indivdual parts are all copies of the original event as far as I remember. You have to play with the terminator parameter which controls when the message is split into parts.
Check out the docs at: https://www.elastic.co/guide/en/logstash/current/plugins-filters-split.html#plugins-filters-split-target

Handling different log formats in the same file

I have a single log file that contains differing output formats.
For example:
line 1 = 2015-01-1 12:04:56 INFO 192.168.0.1 my_user someone logged in
line 2 = 2015-01-1 12:04:56 WARN [webserver-thread] (MyClass.java:66) user authenticated
Whilst the real solution is to either split them into separate files or unify the formats is it possible to grok differing log formats with Logstash?

My first recommendation is to run one grok{} to strip off the common stuff - the datetime and log level. You can put the remaining stuff back into the [message] field:
%{TIMESTAMP_ISO8601} %{WORD:level} %{GREEDYDATA:message}
Make sure to use the 'overwrite' parameter in grok{}.
Then if you want to parse the remaining information, your (multiple) regexps will be running against a shorter string, which should make them more efficient.
You can then have multiple patterns:
grok {
match => [
"message", "PATTERN1",
"message", "PATTERN2"
]
}
By default, grok will stop processing when it hits the first match.

Debugging new logstash grok filters before full use

I have been following this guide:
http://deviantony.wordpress.com/2014/06/04/logstash-debug-configuration/
Which I'm hoping will help me test my logstash filters to see if I get the desired output before using them full time.
As part of the guide it tells you to set up an input and output and then a filter file. the input seems to work fine:
input {
stdin { }
}
The output is this:
output {
stdout {
codec => json
}
file {
codec => json
path => /tmp/debug-filters.json
}
}
I am getting the following error when I try to run the logstash process (here I've run it with --configtest as the error advises me to try that, but it doesn't give any more information):
# /opt/logstash/bin/logstash -f /etc/logstash/debug.d -l /var/log/logstash/logstash-debug.log --configtest
Sending logstash logs to /var/log/logstash/logstash-debug.log.
Error: Expected one of #, ", ', -, [, { at line 21, column 17 (byte 288) after output {
stdout {
codec => json
}
file {
codec => json
path =>
I have tried removing the file section in my output and I can get the logstash process running, but when I paste my log line in to the shell I don't see the log entry broken down in to the components I am expecting the grok filter to break it in to. All I get when I do that is:
Oct 30 08:57:01 VERBOSE[1447] logger.c: == Manager 'sendcron' logged off from 127.0.0.1
{"message":"Oct 30 08:57:01 VERBOSE[1447] logger.c: == Manager 'sendcron' logged off from 127.0.0.1","#version":"1","#timestamp":"2014-10-31T16:09:35.205Z","host":"lumberjack.domain.com"}
Initially I was having a problem with a new grok filter, so I have now tried with an existing filter that I know works (as shown above it is an Asterisk 1.2 filter) and has been generating entries in to elasticsearch for some time.
I have tried touching the json file mentioned in the output, but that hasn't helped.
When I tail the logstash-debug.log now I just see the error that is also being written to my shell.
Any suggestions on debugging grok filters would be appreciated, if I have missed something blindingly obvious, apologies, I've only been working with ELK & grok for a couple of weeks and I might not be doing this in the most sensible way. I was hoping to be able to drop example log entries in to the shell and get the JSON formatted logstash entry to my console so I could see if my filter was working as I hoped, and tagging them up as they will be displayed in kibana at the end. If there is a better way to do this please let me know.
I am using logstash 1.4.2

As far as debugging a grok filter goes, you can use this link (http://grokdebug.herokuapp.com/) It has a very comprehensive pattern detector which is a good start.
As far your file output, you need "" around your path. Here is the example i use in production. Here is the documentation on file output http://logstash.net/docs/1.4.2/outputs/file#path
output {
stdout {
codec => rubydebug
}
file {
codec => "plain"
path => "./logs/logs-%{+YYYY-MM-dd}.txt"
}
}

The Grokconstructor is a similar Grok debugger to Grokdebug which #user3195649 mentioned. I like it's random examples.

Extracting fields in Logstash

I am using Logstash (with Kibana as the UI). I would like to extract some fields from my logs so that I can filter by them on the LHS of the UI.
A sample line from my log looks like this:
2013-07-04 00:27:16.341 -0700 [Comp40_db40_3720_18_25] client_login=C-316fff97-5a19-44f1-9d87-003ae0e36ac9 ip_address=192.168.4.1
In my logstash conf file, I put this:
filter {
grok {
type => "mylog"
pattern => "(?<CLIENT_NAME>Comp\d+_db\d+_\d+_\d+_\d+)"
}
}
Ideally, I would like to extract Comp40_db40_3720_18_25 (the number of digits can vary, but will always be at least 1 in each section separated by _) and client_login (can also be client_logout). Then, I can search for CLIENT_NAME=Comp40... CLIENT_NAME=Comp55, etc.
Am I missing something in my config to make this a field that I can use in Kibana?
Thanks!

If you are having any difficulty getting the pattern to match correctly, using the Grok Debugger is a great solution.
For your given problem you could just separate out your search data into another variable, and save the additional varying digits in another (trash) variable.
For example:
(?<SEARCH_FIELD>Comp\d+)%{GREEDYDATA:trash_variable}]
(Please use the Grok Debugger on the above pattern)