Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Logstash: Keeping a value across events

Tags:

date

grep

multiline

logstash

logstash-grok

I have a date that is only present once in every log file and I am trying to add this date to all following events after it has been matched once, making it act like a global variable in some ways. (The date is at the top of the document and I am unable to use multiline or make changes to the file name or content)

For this, my approach is to use a grep filter with drop => false. 

grok {
    patterns_dir => "[...]"
    match => [ "message", "%{DATELINE}" ]
    tag_on_failure => [ ]
}
grep {
    add_field => { "grepdate" => "%{mydate}" }
    drop => false
}
date {
    locale => "en"
    timezone => "Europe/Paris"
    match => [ "grepdate", "yyyyMMdd" ]
    target => "grepdate"
}

Regular expression:

DATELINE (= Date: (?<mydate>[0-9]{8}))

What I notice is that the grepdate field is correctly being added to all events - which is what I want - but the value of that field is not the date itself (the value of %{mydate}), but the actual string "%{mydate}", except when actually being matched for the first time (when parsing the actual date in my log file, the grepdate field contains the correct value)

What can I do to fix this?

Any help is greatly appreciated.

Edit:

I am now trying a solution that includes the use of the memorizeplugin. However, I am getting the following error:

Cannot use more than 1 filter worker because the following plugins don't work with more than one worker: memorize

Is there a way to make this filter thread-safe?

like image 454
halpsb Avatar asked Mar 25 '15 14:03

halpsb

1 Answers

Maybe you should use the official aggregate filter for this, since memorize is not official and will not work with Logstash >2.0.

It would go like this:

# same as what you have now
grok {
    patterns_dir => "[...]"
    match => [ "message", "%{DATELINE}" ]
    tag_on_failure => [ "not_date_line" ]

}
# add a fictional taskId field to correlate all lines
mutate {
   add_field => { "taskId" => "all" }
}

# if we're processing the first line, remember the date
if "not_date_line" not in [tags] {
    aggregate {
        task_id => "%{taskId}"
        code => "map['mydate'] = event['mydate']"
    }
} 
# if we're processing the next lines, add the date
else {
    aggregate {
        task_id => "%{taskId}"
        code => "event['mydate'] = map['mydate']"
        map_action => "update"
        timeout => 0
    }
}

All your events will then have a mydate field with the date that was on the first log line.

like image 180
Val Avatar answered Oct 04 '22 05:10

Val
Sign in to Comment

Related questions

Convert String to appropriate DataType
How To Add Ordinal Abbreviations Format To Date In iOS e.g. "th" , "st" [duplicate]
heuristic (fuzzy) date extraction from the string?
Finding intersection of dataframe rownames
Subtraction of 1ms leads to unexpected behaviour
Knitr behavior with date objects
Parsing Time, Date/Time, or Date
Date_trunc by month? Postgresql
Get the time of other TimeZone by date string, the result is wrong
Basic JUnit of date check
Java 'Date' object size [closed]
Fill in missing year in ordered list of dates
How to smartly convert a number of seconds in a date-time value using C
Removing gap between ggplot y-axis and first x-value
Converting string to date with Ruby
Error when comparing two dates
R: How do I change gaps (holidays) in a time series of a daily index of the stock exchange by the previous day's information?
check format of date with moment.js
easy way to loop over months and years from a given date
different result for yyyy-mm-dd and yyyy/mm/dd in javascript when passed to "new Date" [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!