#logstash

I'm probably being too black and white about it but I didn't see it on the cookbook page so thought I'd ask

Yeah, set something here: http://logstash.net/docs/1.4.1/inputs/udp#type

Title: logstash - open source log management (at logstash.net)

thanks man i'll give it a go

well shit

and then wrap your filter in a if [type] == "mytype" { } ... or you could add a tag, and use a condiditional on the tag, etc

it's 3:45 on a friday I guess I didn't see it lol

:)

Been there! No problem :)

I cna't set up multiple instances of the same input can I?

many to many sort of thing

jason__: You can

Sure can... not listening on the same port, of course, but you could have multiple udp inputs

is that how it's done if I have a ton (which I do) of thing I might need to parse out? say to differentiate a juniper ex4550 from a 3300 or 4200?

what's the "standard"

Alright this is blowing my mind... I have an input that uses the json codec, and in the json payload, there's an array. I'm assuming the array is being turned into a logstash array (when dumped into elasticsearch, the JSON looks right). Now, I'm trying to pass that array as-is to the "increment" field in a statsd output, which takes an array value

Doesn't seem to work for me, though.

Seems that one should be able to take a field that is an array and then pass it to a setting in a plugin that accepts an array.

anyone load balancing logstash instances with haproxy?

This grok filter should work, right?

match => {"message" => "%{COMBINEDAPACHELOG}", "message" => "%{MEDIASERVERALIAS:media_server_alias}"}

does anyone run logstash with supervisord, and if so, have you found any problems when trying to specify a pluginpath?

jerrac: Mmm... don't think so. However, what are you trying to do?

add the media_server_alias field with the regex I've set in my patterns folder.

what about match => {"message" => "%{COMBINEDAPACHELOG} %{MEDIASERVERALIAS:media_server_alias}"}

I *think* you'd need two grok filters, but I could be wrong

filter { grok { if [type] == "juniper" { match => [ "message" %SYSLOGBASE ] } } }

That would assume that the message always contained a "combined apache log" followed by a space, followed by whatever "mediaserveralias" parses

like that or?

ah

You don't need two grok filters, but it can be more efficient.

You can try to match multiple patterns and decide what to do on a match.

I did try a second grok filter earlier. It didn't work quite the way I expected.

volter: Would you use: match => { "message" => "someregex", "message" => "someotherregex" } then? The docs say match should take a hash, but the example passes an array, so that's kinda confusing :)

I think my notation was without a comma, but continuing on the next line. I'm not good with the grammar there.

I wish the examples had one or two with more than a single match.

jerrac: Oh heck... that's what you just said, that I said wouldn't work :D Sorry!! I thought you had an array in your match setting

I think it's time for me to go home :/

or coffee!

Yay for afternoon coffee :D

:)

would http://pastebin.com/sBtvTNZQ work?

Title: logstash grokking - Pastebin.com (at pastebin.com)

jerrac: look at the Cisco Asa example on the logstash cookbook

Anyone have any ideas with my "JSON array -> json codec -> output setting that accepts an array" issue?

walkeran: could you gist your config, and sample data. also, if possible add the stdout output plugin with rubydebug codec.

walkeran: also, increment takes an array of names... not an array.

Coolacid[cloud]: Will do the gist. However, "increment takes an array of names... not an array." confuses me. Sounds like my issue, but that doesn't make sense to me

is there any word on improving the rabbitmq plugins? From what I can tell right now, logstash keeps retrying rabbit indefinitely if it can't connect...

walkeran: so, your giving the statsd output the names of the counters you want to increment,

patarr: not that I saw, there is a jira with some ideas tho.

bbiab, and I'll help again.

logstash isnt prod ready yet :(