Kurukshetran · September 27, 2018 11:38
diff --git a/logstash.conf b/logstash.conf
 input {
  file {
    type => "java"
    tags  => [ "fornax-data-share-eureka" ]
    # Logstash insists on absolute paths...
    path => "D:/fornax-data-share-runtime/eureka/fornax-data-share-eureka.log"
    codec => multiline {
      pattern => "^%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}.*"
      negate => "true"
      what => "previous"
    }
  }
 }

 filter {
  #If log line contains tab character followed by 'at' then we will tag that entry as stacktrace
  if [message] =~ "\tat" {
    grok {
      match => ["message", "^(\tat)"]
      add_tag => ["stacktrace"]
    }
  }

  #Grokking Spring Boot's default log format
  grok {
    match => [ "message", 
               "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME})  %{LOGLEVEL:level} %{NUMBER:pid} --- \[(?<thread>[A-Za-z0-9-]+)\] [A-Za-z0-9.]*\.(?<class>[A-Za-z0-9#_]+)\s*:\s+(?<logmessage>.*)",
               "message",
               "(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME})  %{LOGLEVEL:level} %{NUMBER:pid} --- .+? :\s+(?<logmessage>.*)"
             ]
  }

  #Parsing out timestamps which are in timestamp field thanks to previous grok section
  date {
    match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
  }
 }

 output {
  # Print each event to stdout, useful for debugging. Should be commented out in production.
  # Enabling 'rubydebug' codec on the stdout output will make logstash
  # pretty-print the entire event as something similar to a JSON representation.
  stdout {
    codec => rubydebug
  }

  # Sending properly parsed log events to elasticsearch
  elasticsearch {
    hosts => [ "192.168.190.11:9200" ]
  }
 }
	input {
	file {
	type => "java"
	tags => [ "fornax-data-share-eureka" ]
	# Logstash insists on absolute paths...
	path => "D:/fornax-data-share-runtime/eureka/fornax-data-share-eureka.log"
	codec => multiline {
	pattern => "^%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}.*"
	negate => "true"
	what => "previous"
	}
	}
	}

	filter {
	#If log line contains tab character followed by 'at' then we will tag that entry as stacktrace
	if [message] =~ "\tat" {
	grok {
	match => ["message", "^(\tat)"]
	add_tag => ["stacktrace"]
	}
	}

	#Grokking Spring Boot's default log format
	grok {
	match => [ "message",
	"(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}) %{LOGLEVEL:level} %{NUMBER:pid} --- \[(?<thread>[A-Za-z0-9-]+)\] [A-Za-z0-9.]\.(?<class>[A-Za-z0-9#_]+)\s:\s+(?<logmessage>.*)",
	"message",
	"(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}) %{LOGLEVEL:level} %{NUMBER:pid} --- .+? :\s+(?<logmessage>.*)"
	]
	}

	#Parsing out timestamps which are in timestamp field thanks to previous grok section
	date {
	match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
	}
	}

	output {
	# Print each event to stdout, useful for debugging. Should be commented out in production.
	# Enabling 'rubydebug' codec on the stdout output will make logstash
	# pretty-print the entire event as something similar to a JSON representation.
	stdout {
	codec => rubydebug
	}

	# Sending properly parsed log events to elasticsearch
	elasticsearch {
	hosts => [ "192.168.190.11:9200" ]
	}
	}