1

I'm using koajs with bunyan to save error logs to my server then I use filebeat to have them shipped to my logstash application.

My error logs are being forwarded correctly however I would now like to create a filter which will add a tag to specific logs.

{"name":"myapp","hostname":"sensu-node-dev","pid":227,"level":50,"err":{"message":"Cannot find module 'lol'","name":"Error","stack":"Error: Cannot find module 'lol'\n    at Function.Module._resolveFilename (module.js:339:15)\n    at Function.Module._load (module.js:290:25)\n    at Module.require (module.js:367:17)\n    at require (internal/module.js:16:19)\n    at Object.<anonymous> (/srv/www/dev.site/app.js:27:6)\n    at next (native)\n    at Object.<anonymous> (/srv/www/dev.site/node_modules/koa-compose/index.js:29:5)\n    at next (native)\n    at onFulfilled (/srv/www/dev.site/node_modules/co/index.js:65:19)\n    at /srv/www/dev.site/node_modules/co/index.js:54:5","code":"MODULE_NOT_FOUND"},"msg":"Cannot find module 'lol'","time":"2016-02-24T22:04:26.492Z","v":0}

Now the interesting part in that specific log is "err":{...} and the "name":"Error" bits. For simplicity reasons I would just like to create a filter which detects "name":"Error" in the log (if it exists) and then apply a tag add_tag => ["error"] to the log.

Here is my /etc/logstash/conf.d/logstash.conf file:

input {
  beats {
   port => 5044
   type => "logs"
  }
}
filter {
  grok { 
    type => "log"
    pattern => "???" // <--- have no idea what to do here
    add_tag => ["error"]
  }
}
output {
  elasticsearch {
    hosts => "localhost:9200"
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
  http {
    http_method => "post"
    url => "<MY_URL>"
    format => "message"
    message => "{"text":"dis is workinz, you has error"}"
    tags => ["error"]
  }
}

I tried the following:

pattern => ""name":"Error""

But got the following error:

Error: Expected one of #, {, } at line 9, column 31 (byte 107) after filter {
  grok {
    match => { "message" => ""
You may be interested in the '--configtest' flag which you can
use to validate logstash's configuration before you choose
to restart a running system.

There is no simple example of this specific type of matching anywhere.

Bonus: Also how does one escape in logstash, I couldn't find anything on the subject?

basickarl
  • 37,187
  • 64
  • 214
  • 335

1 Answers1

0

If you only want to see if a string exists in your message, try this:

if [message] =~ /"name":"Error"/ {
    mutate {
        add_tag { ... }
    }
}

If you really want to grok the input into fields, check out the json codec or filter instead.

Alain Collins
  • 16,268
  • 2
  • 32
  • 55