drdre: I'd expect a PUSH to a url with 'templates' in it's path somewhere
kevind joined the channel
mr-potter joined the channel
techminer: @message is the field created by logstash automatically containing the message field on arrival - message is different field - possibly created by the action of a filter.
drdre
I pushed it to set the template yesterday and it took it.
freezey has quit
N0tTh30n3 has quit
So today as it use the new template it broke?
martijnvg has quit
techminer
So I have a central loghost that adds data to the front of the log entries. An extra timestamp, the origin host, and origin program. I want to split off the extra parts the loghost adds, grab just the origin host, and then process the remaining original log message. Is grok what I want to use?
labrown joined the channel
grok { match => [ "@message", "%{SYSLOGBASE:logger_data} %{GREEDYDATA:original_message}" ] }
stackedsax has quit
rastro has quit
Mattch
tecminer: Yep - that'll create 2 fields - logger_data and original_message pulled from @message
techminer
Then I could grok the origin out of the "logger_data" and finish processing the "original_message"… ???
Mattch
drdre: Ahh, I see - sorry, misunderstood what you were doing...
anonymuse has quit
bdpayne joined the channel
labrown
I need to detect IP address in a field, then try reverse DNS on it. Is there a better way than grokking the field to match an %{IP}
anonymuse joined the channel
rashidkpc
nope
Mattch
drdre: It looks like you've set a field in your mapping to be cast to the wrong type, and ES is having issues casting it back again
labrown
ok.
freezey joined the channel
It'd be nice to be able to say: if [host] =~ /%{IP}/
rastro joined the channel
Mattch
drdre; If I had to guess, I'd say you had a field called PagedBytes, and you've set it to a string, not a number in the mapping
ohlol joined the channel
drdre: sorry, ignore the 'PagedBytes' bit - but some field is mis-cast
drdre
could not find pagedbytes
sk_admin has quit
barbosa_ has quit
when a template is added will it impact all the indices? Indices create before the template map is added and after?
thorrsson joined the channel
my ES cluster seems to be indexing data still but Kibana is throwing out an error. I pulled the Last Elasticsearch Query and curled on the command line and got that.
pheaver has quit
Bastian1 has quit
kalloc_ has quit
Merdock joined the channel
mr-potter has quit
freezey has quit
barbosa joined the channel
losh_ has quit
Spanktar joined the channel
poctc has quit
waffle3 has quit
labrown
drdre: new templates only affect new indexes.
hatless joined the channel
wowi_ has quit
spinscale has quit
drdre
labrown: Thanks!
labrown
welcome
hrdcore0x1
is there an easy way to clear all elasticsearch data?
drdre
Mattch or anybody: I am still figuring out curl ... how do I compare indices?
labrown
hrdcore0x1: delete the index
drdre
looking for this mis-cast.
hrdcore0x1
labrown: using the curl -XDELETE ? what if.. I have a lot of indexes like 'logstash-2013.08.21' 'logstash-2013.08.22' etc
Mattch
drdre; Just have to grab the template from ES and then do a json diff locally I thnk...
hrdcore0x1
labrown: I'd like to not have to iterate all the indexes, but instead just delete all info
Mattch
hrdcore0x1: should accept wildcards - e.g. logstash-*
hrdcore0x1
mattch: excellent thanks
labrown
curl -XDELETE 'http://localhost:9200/' will blow away ALL indexes.
Mattch
labrown: A good reason to set 'action.disable_delete_all_indices: true' in elasticsearch.yml :)
labrown
Mattch: agree
eper has quit
madu joined the channel
What's the best way to sample an incoming event stream? Say I want to keep only 10%, or 1% of the logs (for a development server, for example)
kepper has quit
never mind. found it.
JasonG has quit
ch0psti73 has quit
clly joined the channel
hrdcore0x1 has quit
madu has quit
kepper joined the channel
nmische_ has quit
_maes_ joined the channel
mikeybisbo joined the channel
stackedsax joined the channel
mikeybisbo
It states in the docs for the elastic search output plugin (http://logstash.net/docs/1.3.3/outputs/elastics...) that: "Your elasticsearch cluster must be running elasticsearch 0.90.9". Does that really mean >= 0.90.9? Or does it mean what it says, only 0.90.9. Elasticsearch is now at 0.90.10 so I wanted to check.
mikeybisbo: ES 0.90.9 is known to work (and is tested). You are welcome to try other releases (like 0.90.10) and they *should* work, if they don't, it will be obvious in that you will get lots of errors.
Guest79662
@akat yes there's a bit but I'm looking for more details. For instance, what is the appropriate value for "fields type"
@akat yes there's a bit but I'm looking for more details. For instance, what is the appropriate value for "fields type"?
akat
erp why you message twice
whack
strings
ch0pstick joined the channel
Guest79662: fields are just string-string mappings
ch0pstick has quit
ch0pstick joined the channel
ch0pstick has quit
Guest79662
@whack string-string mapping between what? and what?
digiv_away is now known as digiv
stackedsax3 joined the channel
@whackI guessing "fields" is supposed to describe a log entry, the various fields on the log entry, etc
rhoml has left the channel
whack
Guest79662: oh, I suppose I should be more clear
bradgignac_ joined the channel
Guest79662: every line read from files by logstash-forwarder becomes an event. Using 'fields' you can attach extra data to every event
This is useful for marking what kind of log it is, perhaps some other data like cluster name, purpose, role, etc
artbikes joined the channel
drdre has quit
mikeybis_ joined the channel
it's a way to annotate logs before they leave the forwarder
stackedsax has quit
Guest79662
Whack got it
akat
Guest79662: So let's say you're forwarding Apache logs, you might forward access.log, ssl_access.log, error.log, etc
but you might want to mark them all as one kind
so you could set it to "apache"
Guest79662
good example might be the host name ?
pheaver joined the channel
mikeybis_ has quit
mikeybisbo
whack: okay great, I'll have a play with 0.90.10! thanks