this is what i've made till now but still i'm getting massed up data in logstash
i have 3 domains XXX1 XXX2 nad XXX3 and all of them should write to one output
evek has quit
mikmcf joined the channel
carlos_ joined the channel
I know i could do it by just merging the files in one but i tried this way because it was easier for me to use it with puppet
talos: i have one output
ok so if i would put an if at the start of filter section and then in outut it should work right ?
cvanball joined the channel
FlashDel
Rumbles: maybe you could help me on another problem, i got two log types which should be written into one daily index. this works so far and there are several indexes with test-YYYY-MM-DD. But in kibana i would like to search all those indexes, so i created a template namend test-* and assigned it to both indexes, but that doesnt work. Here is my config and template, do you got a hint for me? http://pastebin.com/JqguYZfw
hmmmm can't say I've tinkered much with indexes in kibana
what does it come back with, anything, errors?
in kibana
FLP that condtional in the config you patebined would mean only the files from XXX1 would go to your output
i.e. if [path] =~ "XXX1" would only match events which can from a path which matches the regex XXX1 in some way
so if they are XXX1 XXX2 XXX3 the regex =~ "XXX" should work for all?
evek joined the channel
tigryss joined the channel
daito joined the channel
evek has quit
nemothekid joined the channel
mikeybisbo joined the channel
dk_dd joined the channel
FLP
Rumbles that was just one file and that was just for domain XXX1 now i have three files each for XXXn
but i think i know now the way
will try and get back
THX
!!
FlashDel
Rumbles: there is no error, i guess i will have to use aliases?
xtruthx has quit
instilled joined the channel
dariusjs joined the channel
evek joined the channel
FLP
Rumbles works perfectly
Rumbles
not sure FlashDel, might be worth hanging around and waiting for the USA to come online, or ask in #kibana ?
adaam joined the channel
hulu1522 has quit
bvi joined the channel
vali has left the channel
hulu1522 joined the channel
supersheep joined the channel
xtruthx joined the channel
mikeybisbo has quit
antgel has quit
LordFire
i don't understand why kibana4 doesn't show tags of my file, instead logstash in logstash.stdout i saw that all parsing is correct... bah
antgel joined the channel
smeevil joined the channel
smeevil
Hi
Rumbles
hello
smeevil
I was wondering if someone could tell me if its possible to use grok to add a field with an value matched from message but with its own regexp specifically for that field.
Rumbles
yep
create your own pattern
or
smeevil
Rumbles: yeah figured that ;) but the question more is, how to apply that pattern again :)
let me show you a small example to clarify what i would like to accomplish
so, I'm not sure this is what you wanted: add_field => [ "contract_id", "%{contract_id}"] << this would add a field called contract_id which holds the content of the captured field %{contract_id}, but as far as I can see you haven't captured %{contract_id} in your grok patterncaptured
smeevil
exactly my problem :) how can i give a secondary search patter to extract that ?
Rumbles
if you have a pattern called CONTRACT_ID, and have it in your grok match, and capture using %{CONTRACT_ID:contract_id} it will generate the field contract_id when it captures the data
can you give some example log lines? you say that the contract id information can be in any part of the message?
filenox has quit
tigryss joined the channel
mdempsey joined the channel
assuming you have CONTRACT_ID defined in a pattern file, you could use (?:%{CONTRACT_ID:contract_id}|) anywhere in your pattern that that information could be found, that will match the pattern or nothing at all (using (?:%{PATTERN}|) the bit after the | is nothing, so will match one thing or the other)
let me rephrase that
(using (?:%{PATTERN}|) the bit after the | is nothing, so will match %{PATTERN} or nothing)
tigryss did you look at what I sent you back last time? you can match onpath, but you may as well just define the type on your input and use a conditional for the type
instilled has quit
then forget about using mutate to add your type
tigryss
ok
Sir_Michael
thats why i love the kv filter ;)
rarruda_ has quit
Rumbles
also, if you use 2 spaces for each indentation, stick to that, don't use random amounts of spaces to indent, it makes it really difficult to read
each { or } should be on a new line
mdempsey
Hi, I've imported a few million files into logstash and then realised I didn't have any grok filters against it. I want to reimport the files again so that the filters are associated against the data properly. I don't have a $HOME/.sincedb path, is there a way to reset the filter?
Rumbles
I don't have OCD but that config makes my skin crawl :/
smeevil
Rumbles: to clear up what i want to achieve : We have quite a big stack of services and servers. these will all processes stuff in one way or the other but what they all have in common is that most of the time they will have a reverence to a contract_id somewhere in they logline. now I'd like to search for a given contract id and trace the whole path of that
given contract id throughout all the moving parts. does that make sense ?
Rumbles
mdempsey what input did you use?
rarruda_ joined the channel
Sir_Michael
smeevil do you have an example of a few of your loglines =
Rumbles
I see what you mean smeevil
that should be possible
tigryss
Rumbles i can't change the logs :))))
mdempsey
@Rumbles: I used file
Rumbles
but yeah ^^ examples and I can advise further
smeevil
so tahts why i'd like to apply a second match to see if i can extract...arbitrary data... and add that to fields if it has been found
mdempsey
with start_position => beginning
smeevil
meaning it might or might not be in there :D but if it is, extract it and add it as a field
Rumbles
mdempsey if you run "locate .sincedb" you should find your sncedb file (assuming you're on linux)
mine live in /var/lib
yeah smeevil look at my earlier posts, use (?:%{PATTERN}|)
it will match it if is there, and still match if it isn't
if there is data your field will be populated
if there is nothing there the field won't be populated
mdempsey
Rumbles thanks, yeah on linux will have a look now
Rumbles
if it can appear in 3 or 4 different places in the log entry, you just need to place that pattern in all the places it might occur
Rumbles really should do some work
N-Mi has quit
smeevil
Rumbles: thanks for that suggestion, that was my initial approch, but might make the patters even more unreadable :) also it might accor in information that is already being match as a whole.
I'll try and investigate further :) i think it should be possible to run multiple matches / operations against a single line
Rumbles
yeah you can
within your grok you can have one match, then a second, then a thrid etc
third :/
smeevil
oh ! that might be it then :)
do you happen to have an example of that ?
FLP has quit
rtoren joined the channel
if i understand correct its like : if this match, do this if not go on, then if this matches, do this... etc:)
Rumbles
1 sec
mdempsey
Rumbles Looks like its not there, getting no files found.
Rumbles
updatedb mdempsey ?
smeevil
I'll leave you be after that :P thanks for you help man, appreciated !
mdempsey
Rumbles yeah tried that as well, still nothing
Rumbles
:(
not sure then tbh...
you could define a sincedb path in your input
then restart ls
it should then start a new one?
mdempsey
yeah that was my next thought
Rumbles is guessing here
will give that a shot and see what happens
Rumbles
gl :)
mdempsey
:)
wnkz joined the channel
russorat joined the channel
dariusjs
when it comes to elk, is there a way to modify an existing mapping of a key? I've modified the template but I have some misunderstanding on how to modify the existing mapping on the indices https://gist.github.com/dariusjs/f263dad5d9a209...