I am very new to logstash. I can just run logstash jar file and see a kibana web page. It's cool~~
Now, I want to change a following line (syslog message) to the next line.
Feb 19 18:45:29 SD550 Jack: REG,0x1000,4,10,20,30,40
==>
{ 'timestamp': 'Feb 19 18:45:29',
'host': 'SD550', 0x1000:10, 0x1001:20, 0x1002:30, 0x1003:40 }
In log message, '0x1000' is a starting register address, '4' is the number of register values, and next values are just value. So, that means 0x1000:10, 0x1001:20, 0x1002:30, 0x1003:40. An important point is that the number of register values is able to change. As a result, the length of log message can be variable. Even though it has any length, I'd like to get a proper result. (e.g., 0x2000,2,12,22 ==> 0x2000:12, 0x2001:22)
This is my incomplete config file for logstash. I found some filters such as grok, mutate and extractnumbers. But, I don't know how to do what I want to do.
input {
file {
path => "/var/log/syslog"
type => "syslog"
}
}
filter {
???
}
output {
elasticsearch { }
}
I know I want a lot, sorry guys. In addition, My final goal is to draw a TIME(x)/VALUE(y) chart for a specific register in kibana. Is it possible? Can I have some advice from you?
Thank you, Youngmin Kim
Thank you everybody who answers my question.. Especially, Ben Lim.
With your help, I got this result.
{
"@version" => "1",
"@timestamp" => "2014-02-20T11:07:28.125Z",
"type" => "syslog",
"host" => "ymkim-SD550",
"path" => "/var/log/syslog",
"ts" => "Feb 20 21:07:27",
"user" => "ymkim",
"func" => "REG",
"8192" => 16,
"8193" => 32,
"8194" => 17,
"8195" => 109
}
from $ logger REG,2000,4,10,20,11,6d
This is my config file.
input {
file {
path => "/var/log/syslog"
type => "syslog"
}
}
filter {
grok {
match => ["message", "%{SYSLOGTIMESTAMP:ts} %{SYSLOGHOST:hostname} %{WORD:user}: %{WORD:func},%{WORD:address},%{NUMBER:regNumber},%{GREEDYDATA:regValue}"]
}
if [func] == "REG" {
modbus_csv {
start_address => "address"
num_register => "regNumber"
source => "regValue"
remove_field => ["regValue", "hostname", "message",
"address", "regNumber"]
}
}
}
output {
stdout { debug => true }
elasticsearch { }
}
and modified csv filter, named modbus_csv.rb.
# encoding: utf-8
require "logstash/filters/base"
require "logstash/namespace"
require "csv"
# CSV filter. Takes an event field containing CSV data, parses it,
# and stores it as individual fields (can optionally specify the names).
class LogStash::Filters::MODBUS_CSV < LogStash::Filters::Base
config_name "modbus_csv"
milestone 2
# The CSV data in the value of the source field will be expanded into a
# datastructure.
config :source, :validate => :string, :default => "message"
# Define a list of column names (in the order they appear in the CSV,
# as if it were a header line). If this is not specified or there
# are not enough columns specified, the default column name is "columnX"
# (where X is the field number, starting from 1).
config :columns, :validate => :array, :default => []
config :start_address, :validate => :string, :default => "0"
config :num_register, :validate => :string, :default => "0"
# Define the column separator value. If this is not specified the default
# is a comma ','.
# Optional.
config :separator, :validate => :string, :default => ","
# Define the character used to quote CSV fields. If this is not specified
# the default is a double quote '"'.
# Optional.
config :quote_char, :validate => :string, :default => '"'
# Define target for placing the data.
# Defaults to writing to the root of the event.
config :target, :validate => :string
public
def register
# Nothing to do here
end # def register
public
def filter(event)
return unless filter?(event)
@logger.debug("Running modbus_csv filter", :event => event)
matches = 0
@logger.debug(event[@num_register].hex)
for i in 0..(event[@num_register].hex)
@columns[i] = event[@start_address].hex + i
end
if event[@source]
if event[@source].is_a?(String)
event[@source] = [event[@source]]
end
if event[@source].length > 1
@logger.warn("modbus_csv filter only works on fields of length 1",
:source => @source, :value => event[@source],
:event => event)
return
end
raw = event[@source].first
begin
values = CSV.parse_line(raw, :col_sep => @separator, :quote_char => @quote_char)
if @target.nil?
# Default is to write to the root of the event.
dest = event
else
dest = event[@target] ||= {}
end
values.each_index do |i|
field_name = @columns[i].to_s || "column#{i+1}"
dest[field_name] = values[i].hex
end
filter_matched(event)
rescue => e
event.tag "_modbus_csvparsefailure"
@logger.warn("Trouble parsing modbus_csv", :source => @source, :raw => raw,
:exception => e)
return
end # begin
end # if event
@logger.debug("Event after modbus_csv filter", :event => event)
end # def filter
end # class LogStash::Filters::Csv
Finally, I got a chart what I want. (*func = REG (13) 4096 mean per 10m | (13 hits))
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments