Last active
September 1, 2015 01:15
-
-
Save timbodv/4e932157aed7543d6b8d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # first cut of a logstash import for Config Mgr / SCCM 2012 logfiles | |
| input { | |
| file { | |
| path => "c:\temp\logs\CcmExec.log" | |
| start_position => beginning | |
| codec => multiline { | |
| # match any line not starting with < | |
| pattern => "^(?:<).*" | |
| what => "previous" | |
| negate => true | |
| } | |
| } | |
| } | |
| filter { | |
| # when we use multiline, we need to remove the new line so grok works across the whole string (of multiple lines) | |
| mutate { | |
| gsub => ["message", "\r\n", " "] | |
| } | |
| grok { | |
| match => [ "message", '<!\[LOG\[[\s|+]*%{GREEDYDATA:message}\]LOG\]!><time="%{TIME:time}[\s\S]*date="%{DATE:date}[\s\S]*component="(?<component>\w*)"' ] | |
| overwrite => [ "message" ] | |
| } | |
| mutate { | |
| add_field => { | |
| "timestampToParse" => "%{time} %{date}" | |
| } | |
| } | |
| date { | |
| match => [ "timestampToParse", "HH:mm:ss.SSS MM-dd-yyyy"] | |
| locale => "en" | |
| timezone => "Australia/Brisbane" | |
| target => "@timestamp" | |
| } | |
| mutate { | |
| remove_field => [ "time" ,"date", "timestampToParse" ] | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| protocol => "http" | |
| } | |
| stdout { | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment