CloudFabrix Documentation
Asset IntelligenceOps IntelligenceObservabilityRobotic Data
Search…
Getting Started
CloudFabrix Overview
AIOps Platform
AIOps Solutions
CloudFabrix RDA
RDA - Overview
RDA - Installation
RDA - Administration
RDA - User Guide
RDA - Bot Documentation
RDA - Datasource Integrations
RDA - Python API
RDA - FAQ
CFXQL - CFX Query Language
Operations Intelligence Analytics (OIA)
Solution Overview
Administration Guide
User Guide
INTEGRATIONS
Zabbix
AppDynamics
Dynatrace
NetApp C Mode
NetApp 7 Mode
Splunk Enterprise
VMware vCenter
OBSERVABILITY
Observability - IT Infrastructure Monitoring (cfxPulse)
Observability - Log Monitoring & Analytics (CFX LogAnalytics or CLA)
Getting Started
Solution Overview
Solution Key Components
Log Forwarding
Log Collection
Log Transformation & Enrichment
Logstash Installation
Asset Intelligence Analytics (AIA) Solution
Getting Started
Solution Overview
AIA Roles
AIA Tasks, Functions
AIA API
Enterprise Discovery
Asset Intelligence & Analytics (AIA) (Delete)
CloudFabrix SaaS
Signup
Navigation
User Roles
Support
Contact Support
Powered By GitBook
Log Transformation & Enrichment
Selective forwarding of logs with filters. Log transformation with computed data or Log enrichment with new attributes - using grok patterns

Advanced Usage

The previous example doesn't show how to parse the correct timestamp or how to ship multi-line logs. These are important issues that can easily be addressed.
To get started, let's assume our logs contain a timestamp (UTC), severity and message. If your logs have different structure you'll need to make small adjustments to the configs below.
2015-10-03 12:01:58,345 ERROR Processing request failed.
Multi-line messages require a slight changed input section.
input {
file {
path => "/var/log/test.log"
start_position => "beginning"
codec => multiline {
pattern => "^%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
}
}
}
The pattern looks for log lines starting with a timestamp and, until a new match is found, all lines are considered part of the event. This is done by setting the negate parameter to true.
Parsing logs means adding a new section to the config file:
filter {
grok {
match => [ "message", "(?m)%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} %{GREEDYDATA:message}" ]
overwrite => [ "message" ]
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss,SSS" ]
}
}
The grok filter splits the log content into 3 variable. The (?m) in the beginning of the regexp is used for multi-line matching. Otherwise, only the first line would be read. The patterns used in the regexp used in the regexp are provided with LogStash and should be used when possible to simplify regexps. By default, the timestamp of the log line is considered the moment when the log line is read from the file. the date filter changes the timestamp to the one matched earlier by the grok filter.
Previous
Collecting Logs from Linux
Next
Logstash Installation
Last modified 2yr ago
Copy link