CloudFabrix Documentation
Asset IntelligenceOps IntelligenceObservabilityRobotic Data
  • Getting Started
  • CloudFabrix Overview
  • AIOps Platform
  • AIOps Solutions
  • CloudFabrix RDA
    • RDA - Overview
      • RDA - Terminology and Artifacts
    • RDA - Installation
      • Linux OS
      • Windows OS
      • Mac OS
      • RDA Client
      • Worker Nodes
      • Event Gateway
      • Edge Collector
      • Log Shippers
        • Filebeat
        • Fluentd
        • Rsyslog
        • Syslog (udp)
        • Splunk forwarder (Windows and Linux)
        • Winlogbeat (Windows)
      • RDA Log Archives
    • RDA - Administration
      • RDA - Configuration
    • RDA - User Guide
      • RDA - AIOps Studio
        • AIOps Studio - Solution Packages
        • AIOps Studio - Pipelines
        • AIOps Studio - Explore
        • AIOps Studio - Administration
        • RDA CLI in UI
        • AIOps Studio - Examples
          • File Operations
          • Loop Operations
          • Data Management Operations - cfxdm
          • Data mapping - cfxdm - dm:eval
          • Filters - cfxdm - dm:filter
          • Data mapping - cfxdm - dm:map
          • Metadata - cfxdm-dm:metadata
          • Data mapping - cfxdm - dm:functions
            • Any_non_null
            • Concat
            • Datetime
            • Date and Timestamp
            • Evaluate
            • Fixed
            • Highest
            • Join
            • jsonDecode
            • Lower
            • Lowest
            • Match
            • Minutes_Between
            • Replace
            • Seconds_Between
            • Slice
            • Split
            • Strip
            • To_Numeric
            • Ts_To_Datetimestr
            • Upper
            • When_Null
          • Data Mapping cfxdm - dm:sort
          • Data Mapping cfxdm - dm:head
          • Data Mapping cfxdm - dm: tail
          • Data Mapping cfxdm - dm: dedup
          • Data Mapping cfxdm - dm:selectcolumns
          • Data Mapping cfxdm - dm:fixcolumns
          • Data Mapping cfxdm - dm:mergecolumns
          • Data Mapping cfxdm - dm:describe
          • Data Mapping cfxdm - dm:save
          • Data Mapping cfxdm - dm:savedlist
          • Data Mapping cfxdm - dm:recall
          • Data Mapping cfxdm - dm:concat
          • Data Mapping cfxdm - dm:groupby
          • Data Mapping cfxdm - dm:to_type
          • Data Mapping cfxdm - dm:enrich
          • Data Mapping cfxdm - dm:dns_ip_to_name
          • Data Mapping cfxdm - dm:dns_name_to_ip
        • AIOps Studio - Datasource Examples
          • Elasticsearch (v1)
      • RDA - Data Management (cfxdm)
        • cfxdm - dm:filter
        • cfxdm - dm:map
        • cfxdm - dm:functions
        • cfxdm - dm:sort
        • cfxdm - dm:head
        • cfxdm - dm:tail
        • cfxdm - dm:dedup
        • cfxdm - dm:selectcolumns
        • cfxdm - dm:mergecolumns
        • cfxdm - dm:describe
        • cfxdm - dm:hist
        • cfxdm - dm:bin
        • cfxdm - dm:fixcolumns
        • cfxdm - dm:save
        • cfxdm - dm:savedlist
        • cfxdx - dm:recall
        • cfxdm - dm:concat
        • cfxdm - dm:groupby
        • cfxdm - dm:enrich
        • cfxdm - dm:to_type
        • cfxdm - dm:dns_ip_to_name
        • cfxdm - dm:dns_name_to_ip
        • cfxdm - files:loadfile
      • RDA Terminal
        • Examples using Terminal / Commandline
    • RDA - Bot Documentation
    • RDA - Datasource Integrations
      • AppDynamics
      • Dynatrace
      • Dell EMC Unity
      • Elasticsearch
      • Infoblox NetMRI
      • Kubernetes Cluster
      • Linux OS
      • Microsoft Windows Server OS
      • Nagios XI
      • NetApp Clustered ONTAP
      • PRTG Network Monitor
      • VMware vCenter
      • VMware vRealize Operations
    • RDA - Python API
      • Class CaaSDataset
      • Class CaaSClient
      • Python API Example
    • RDA - FAQ
      • Download and Installation
      • Troubleshooting
  • CFXQL - CFX Query Language
    • CFXQL User Interface
  • Operations Intelligence Analytics (OIA)
    • Solution Overview
      • Navigating cfxOIA
      • Any title
    • Administration Guide
      • Active Directory Integration
      • Add Customer
      • First Steps
      • OIA Users
      • Add New Users and Assign Roles
      • Add Environment
      • Add Gateway
      • Add DataSource
      • Add Project
      • Project Configuration
      • Stacks
      • Teams
    • User Guide
      • Incidents
        • Incident
        • Stack
      • Alerts
      • Outcomes
  • INTEGRATIONS
    • Zabbix
    • AppDynamics
    • Dynatrace
    • NetApp C Mode
    • NetApp 7 Mode
    • Splunk Enterprise
    • VMware vCenter
  • OBSERVABILITY
  • Observability - IT Infrastructure Monitoring (cfxPulse)
    • Getting Started
    • Solution Overview
    • Installing cfxPulse Collector
    • Administrator Quick Start Guide
      • Prerequisites
      • Accessing cfxPulse
      • Configuration of cfxPulse
      • Setting Up Monitoring
      • Monitoring Using Prometheus Agents
      • How to add Prometheus Agent Details
      • Discovery of Devices
      • Monitoring Dashboard
    • End User Quick Start Guide
      • Portal Navigation
      • Monitoring Analysis
      • Monitoring
      • Alerts and Incidents
      • Reports
      • NOC/Ops
      • Configuration Backups
      • Interacting With Tabular Reports
      • Creating Custom Dashboards
  • Observability - Log Monitoring & Analytics (CFX LogAnalytics or CLA)
    • Getting Started
    • Solution Overview
    • Solution Key Components
    • Log Forwarding
      • Install and Configure Logstash
      • Sending Logs to Logstash Forwarder
    • Log Collection
      • Collecting Logs from Linux
    • Log Transformation & Enrichment
    • Logstash Installation
      • How to install Java / Logstash on client side
  • Asset Intelligence Analytics (AIA) Solution
    • Getting Started
    • Solution Overview
    • AIA Roles
      • Platform Admin
        • Managed Service Provider (MSP)
        • Authentication Server
        • Set Up Services
        • Organizations
        • Users
      • Organization Admin
        • My Organizations
      • Organization Executive
      • Organization User
    • AIA Tasks, Functions
      • Home Page Navigation
      • Filters
      • Settings Menu
      • Notifications
      • Authentical Server
      • How to Add, Edit, Delete MSP
      • Actions
        • Services
        • Files
        • Dictionaries
        • Discovery Jobs
        • Snapshots
        • Clambda Jobs
        • State Operations
        • Replacement Rate
      • Details
        • Overall
        • POR Insights
        • HW Assets
        • SW Assets
        • Contracts
        • App Dependency
        • Asset List
    • AIA API
    • Enterprise Discovery
      • cfxEdgeCollector
        • Deployment of cfxEdgeCollector
        • Configuration of cfxEdgeCollector
        • cfxEdgeCollector Command Line Options
        • cfxEdgeCollector Help Command
        • Working With cfxEdgeCollector
        • cfxEdgeCollector Auto Export
    • Asset Intelligence & Analytics (AIA) (Delete)
  • CloudFabrix SaaS
    • Signup
    • Navigation
    • User Roles
  • Support
    • Contact Support
Powered by GitBook
On this page
  1. Observability - Log Monitoring & Analytics (CFX LogAnalytics or CLA)

Log Transformation & Enrichment

Selective forwarding of logs with filters. Log transformation with computed data or Log enrichment with new attributes - using grok patterns

Advanced Usage

The previous example doesn't show how to parse the correct timestamp or how to ship multi-line logs. These are important issues that can easily be addressed.

To get started, let's assume our logs contain a timestamp (UTC), severity and message. If your logs have different structure you'll need to make small adjustments to the configs below.

2015-10-03 12:01:58,345 ERROR Processing request failed.

Multi-line messages require a slight changed input section.

input {
  file {
    path => "/var/log/test.log"
    start_position => "beginning"
    codec => multiline {
      pattern => "^%{TIMESTAMP_ISO8601}"
      negate => true
      what => "previous"
    }
  }
}
The pattern looks for log lines starting with a timestamp and, until a new match is found, all lines are considered part of the event. This is done by setting the negate parameter to true.
Parsing logs means adding a new section to the config file:
filter {
  grok {
    match => [ "message", "(?m)%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} %{GREEDYDATA:message}" ]
    overwrite => [ "message" ]
  }
  date {
    match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss,SSS" ]
  }
}
PreviousCollecting Logs from LinuxNextLogstash Installation

Last updated 4 years ago

The filter splits the log content into 3 variable. The (?m) in the beginning of the regexp is used for multi-line matching. Otherwise, only the first line would be read. The patterns used in the used in the regexp are provided with LogStash and should be used when possible to simplify regexps. By default, the timestamp of the log line is considered the moment when the log line is read from the file. the filter changes the timestamp to the one matched earlier by the grok filter.

grok
regexp
date