I want to send data from java application to logstash.
Sending it to " curl " is good, but it does not send it to "java restTemplate"
"curl" example : OK
$ curl -XPOST -H "Content-Type: application/x-ndjson" "http://10.97.8.151:18080" --data-binary #data.txt
data.txt
{"index":{"_index": "myIndex","_type":"myType"}}
{"data1":"value1","data2":"value2","data3":"value3"}
This works well. However, " Java restTemplate " did not work as follows.
Everything else is identical and the data form is different.
{"index":{"_index": "myIndex","_type":"myType"}}\n{"data1":"value1","data2":"value2","data3":"value3"}
I have tried to describe the type of data in the form of "application/x-ndjson"and I don't know where it was wrong.
How do you transfer data from " java application " to " logstash " in " java application "?
The " logstash config " file is as follows :
input {
http {
host => "0.0.0.0"
port => "12345"
codec => es_bulk {
}
}
}
output {
elasticsearch {
hosts => "x.x.x.x:yyyy"
index => "{[#metadata][_index]}"
document_type => "{[#metadata][_type]}"
template_name => "api"
}
stdout { codec => rubydebug { metadata => true } }
}
Ask for help.
The best way to do this is not to use the es_bulk codec in your http input, but simply let your events be plain text messages.
Then, instead of using an elasticsearch output, you can use the http output like this:
input {
http {
host => "0.0.0.0"
port => "12345"
codec => "plain"
}
}
output {
http {
http_method => "post"
url => "http://x.x.x.x:yyyy/_bulk"
format => "message"
message => "%{message}"
}
}
The big plus of this method is that your Logstash pipeline doesn't have to parse the "bulk" input just to recreate the same "bulk" output. In this case, you're simply using Logstash as a "pass-through". I don't see the value of this, though, you could have your Java application send the bulk payload directly to ES.
Related
I am using logstash pipeline to ingest data into rsyslog server .
But the pipeline is adding extra date stamp and %{host} at the beginning
example:
**Sep 22 04:47:20 %{host} 2022-09-22T04:47:20.876Z %{host}** 22-09-2022 05:47:20.875 a7bd0ebd9101-SLOT0 `TEST-AWS-ACTIVITY`#011970507 P 201059147698 `[FCH-TEST] [35.49.122.49] [TEST-251047********-******] [c713fcf9-6e73-4627-ace9-170e6c72fac5] OUT;P;201059147698;;;;/bcl/test/survey/checkSurveyEligibility.json;ErrorMsg=none;;{"body":{"eligible":false,"surveys":[]},"header":null}`**
Can anyone tell from where this extra part is coming and how to suppress this .
The data is coming from AWS cloudwatch installed on ECS containers.
The pipeline is configured as :
input { pipeline { address => test_syslog } }
filter {
if [owner] == "1638134254521" {
mutate { add_field => { "[ec_part]" => "AWS_TEST"} }
}
}
output {
#TEST ACTIVITY Logs being sent via TCP to Logreceiver
if [ec_part] == "AWS_TEST" {
syslog {
appname => ""
host => "10.119.140.206"
port => "10514"
protocol => "ssl-tcp"
ssl_cacert => "/etc/logstash/ca.crt"
ssl_cert => "/etc/logstash/server.crt"
ssl_key => "/etc/logstash/server.key"
priority => "info"
rfc => "rfc5424"
}
}
}
The default codec for an output is plain, and the if the format option is not specified then that will call the .to_s method on the event. The .to_s method adds the timestamp and %{host}. You can prevent this by adding
codec => plain { format => "%{message}" }
to your syslog output.
i have configured logstash 5.5 to use tcp protocol for give the json message.
input {
tcp {
port => 9001
codec => json
type => "test-tcp-1"
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
}
}
filter{
json { source => "message" }
}
The message has been received from logstash with successfully but elasticsearch not create a index ! Why ?
If use the same configuration with stdin input plugin work fine.
Many thanks.
I hope to find here an answer to my question that I am struggling with since yesterday:
I'm configuring Logstash 1.5.6 with a rabbitMQ input and an elasticsearch output.
Messages are published in rabbitMQ in bulk format, my logstash consumes them and write them all to elasticsearch default index logstash-YYY.MM.DD with this configuration:
input {
rabbitmq {
host => 'xxx'
user => 'xxx'
password => 'xxx'
queue => 'xxx'
exchange => "xxx"
key => 'xxx'
durable => true
}
output {
elasticsearch {
host => "xxx"
cluster => "elasticsearch"
flush_size =>10
bind_port => 9300
codec => "json"
protocol => "http"
}
stdout { codec => rubydebug }
}
Now what I'm trying to do is send the messages to different elasticsearch indices.
The messages coming from the amqp input already have the index and type parameters (bulk format).
So after reading the documentation:
https://www.elastic.co/guide/en/logstash/1.5/event-dependent-configuration.html#logstash-config-field-references
I try doing that
input {
rabbitmq {
host => 'xxx'
user => 'xxx'
password => 'xxx'
queue => 'xxx'
exchange => "xxx"
key => 'xxx'
durable => true
}
output {
elasticsearch {
host => "xxx"
cluster => "elasticsearch"
flush_size =>10
bind_port => 9300
codec => "json"
protocol => "http"
index => "%{[index][_index]}"
}
stdout { codec => rubydebug }
}
But what logstash is doing is create the index %{[index][_index]} and putting there all the docs instead of reading the _index parameter and sending there the docs !
I also tried the following:
index => %{index}
index => '%{index}'
index => "%{index}"
But none seems to work.
Any help ?
To resume, the main question here is: If the rabbitMQ messages have this format:
{"index":{"_index":"indexA","_type":"typeX","_ttl":2592000000}}
{"#timestamp":"2017-03-09T15:55:54.520Z","#version":"1","#fields":{DATA}}
How to tell to logstash to send the output in the index named "indexA" with type "typeX" ??
If your messages in RabbitMQ are already in bulk format then you don't need to use the elasticsearch output but a simple http output hitting the _bulk endpoint would do the trick:
output {
http {
http_method => "post"
url => "http://localhost:9200/_bulk"
format => "message"
message => "%{message}"
}
}
So everyone, with the help of Val, the solution was:
As he said since the RabbitMQ messages were already in bulk format, no need to use elasticsearch output, the http output to _bulk API will make it (silly me)
So I replaced the output with this:
output {
http {
http_method => "post"
url => "http://172.16.1.81:9200/_bulk"
format => "message"
message => "%{message}"
}
stdout { codec => json_lines }
}
But it still wasn't working. I was using Logstash 1.5.6 and after upgrading to Logstash 2.0.0 (https://www.elastic.co/guide/en/logstash/2.4/_upgrading_using_package_managers.html) it worked with the same configuration.
There it is :)
If you store JSON message in Rabbitmq, then this problem can be solved.
Use index and type as field in JSON message and assign those values to Elasticsearch output plugin.
index =>
"%{index}"
//INDEX from JSON body received from Kafka Producer document_type => "%{type}" } //TYPE from JSON body
With this approach , each message can have their own index and type.
I'm sending data in a url to logstash 5.2 and I would like to parse it in logstash, so every url parameter becomes a variable in logstash and I can visualize it properly in kibana.
http://127.0.0.1:31311/?id=ID-XXXXXXXX&uid=1-37zbcuvs-izotbvbe&ev=pageload&ed=&v=1&dl=http://127.0.0.1/openpixel/&rl=&ts=1488314512294&de=windows-1252&sr=1600x900&vp=1600x303&cd=24&dt=&bn=Chrome%2056&md=false&ua=Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010_11_3)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/56.0.2924.87%20Safari/537.36&utm_source=&utm_medium=&utm_term=&utm_content=&utm_campaign=
This is my logstash conf file:
input
{
http
{
host => "127.0.0.1"
port => 31311
}
}
output
{
elasticsearch
{
hosts => ["localhost:9200"]
}
stdout
{
codec => rubydebug
}
}
You could use the grok filter to match your params in your url as such:
filter {
grok {
match => [ "message", "%{URIPARAM:url}" ]
}
And then you might have to use kv filter in order to split your data:
kv {
source => "url"
field_split => "&"
}
This SO might become handy. Hope this helps!
I'm using ELK (Elasticsearch, Logstash, Kibana) for logging purposes. The problem is Kibana doesn't seem to recognize my JSON, because it puts my JSON inside message.
Here's how I run Logstash:
bin/logstash -e 'input { udp { port => 5000 type => json_logger } }
output { stdout { } elasticsearch { host => localhost } }'
Here's an example Logstash output for my logs (for debugging purposes I also output logs to stdout):
2014-10-07T10:28:19.104+0000 127.0.0.1
{"user_id":1,"object_id":6,"#timestamp":"2014-10-07T13:28:19.101+03:00","#version":"1","severity":"INFO","host":"sergey-System"}
How do I make Elasticsearch/Kibana/Logstash recognize JSON?
Try bin/logstash -e 'input { udp { port => 5000 type => json_logger codec => json} } output { stdout { } elasticsearch { host => localhost } }'.
Note the codec => json option.