I'm trying to push logs to elasticSearch using fileBeat ( No Logstash )
I want to send following log in single message but it get broken into multiple messages, every line becomes separate message
20161014 17:49:09.169 [ERROR] [Thread-2974] some.java.class.:70 - some.java.Exception: write failed. History: [requestHost=123-some.org.com, time=Fri Oct 14 17:49:05 GMT-07:00 2016, exception=java.net.SocketTimeoutException]
[requestHost=123-some.org.com, time=Fri Oct 14 17:49:07 GMT-07:00 2016, exception=java.net.SocketTimeoutException]
[requestHost=123-some.org.com, time=Fri Oct 14 17:49:09 GMT-07:00 2016, exception=java.net.SocketTimeoutException]
Tried 3 times
at java.lang.Thread.run(Thread.java:745)
20161014 17:49:09.169 [ERROR] [Thread-3022]
I want to merge all lines between 2 dates (1st and last line)
Here is my filebeat.yml snippet
paths:
- /test.log
multiline.pattern: '^\[0-9]{8}'
multiline.negate: true
multiline.match: after
I need to know correct regex
I'm trying to solve this without using logstash
Using the following Filebeat configuration with the provided log sample produces two events where each message begins with the date.
I ran ./filebeat -c filebeat.yml -e -v -d "*" with the config below to test. I also tested the pattern on the Go playground.
filebeat.yml:
filebeat:
prospectors:
- paths: ["input.txt"]
multiline:
pattern: '^[0-9]{8}'
negate: true
match: after
output:
console:
pretty: false
Output:
{
"#timestamp": "2016-10-17T14:13:31.292Z",
"beat": {
"hostname": "host.example.com",
"name": "host.example.com",
},
"input_type": "log",
"message": "20161014 17:49:09.169 [ERROR] [Thread-2974] some.java.class.:70 - some.java.Exception: write failed. History: [requestHost=123-some.org.com, time=Fri Oct 14 17:49:05 GMT-07:00 2016, exception=java.net.SocketTimeoutException]\n[requestHost=123-some.org.com, time=Fri Oct 14 17:49:07 GMT-07:00 2016, exception=java.net.SocketTimeoutException]\n[requestHost=123-some.org.com, time=Fri Oct 14 17:49:09 GMT-07:00 2016, exception=java.net.SocketTimeoutException]\n Tried 3 times\n at java.lang.Thread.run(Thread.java:745)",
"offset": 519,
"source": "input.txt",
"type": "log"
}
{
"#timestamp": "2016-10-17T14:17:21.686Z",
"beat": {
"hostname": "host.example.com",
"name": "host.example.com",
},
"input_type": "log",
"message": "20161014 17:49:09.169 [ERROR] [Thread-3022]",
"offset": 563,
"source": "input.txt",
"type": "log"
}
Related
I have this yaml file:
id:
providerName: admin
apiName: LagerAPI
version: 1.0.0
uuid: 1297c3e5-24aa-4806-be05-0cc3f2decaff
type: HTTP
context: /wso/1.0.0
contextTemplate: /wso/{version}
tags: []
documents: []
lastUpdated: Apr 14, 2020 4:33:37 PM
and wanna change it the value wso in lines context: and contextTemplate: to test, that this will be the result:
id:
providerName: admin
apiName: LagerAPI
version: 1.0.0
uuid: 1297c3e5-24aa-4806-be05-0cc3f2decaff
type: HTTP
context: /test/1.0.0
contextTemplate: /test/{version}
tags: []
documents: []
lastUpdated: Apr 14, 2020 4:33:37 PM
How do I do this with a bash command?
Thank you :)
I found a solution:
sed -i 's/wso/test/' file.yaml
Just in case there are more wso in that file this should replace what was intended.
sed '/^context/s/wso/test/;/^contextTemplate/s/wso/test/' file.yml
On a RHEL6 system, I followed the steps laid out here to create a repository and capture a snapshot prior to my upgrade. I verified the existence of the snap shot:
curl 'localhost:9200/_snapshot/_all?pretty=true'
Which gave me the following result:
{ "upgrade_backup" : {
"type" : "fs",
"settings" : {
"compress" : "true",
"location" : "/tmp/elasticsearch-backup"
} } }
After upgrading Elasticsearch via yum, I went to restore my snapshot but none are showing up:
curl 'localhost:9200/_snapshot/_all?pretty=true'
{ }
I checked on the file system and see the repository files:
ls -lrt /tmp/elasticsearch-backup
total 24
-rw-r--r--. 1 elasticsearch elasticsearch 121 Apr 7 14:42 meta-snapshot-number-one.dat
drwxr-xr-x. 3 elasticsearch elasticsearch 21 Apr 7 14:42 indices
-rw-r--r--. 1 elasticsearch elasticsearch 191 Apr 7 14:42 snap-snapshot-number-one.dat
-rw-r--r--. 1 elasticsearch elasticsearch 37 Apr 7 14:42 index
-rw-r--r--. 1 elasticsearch elasticsearch 188 Apr 7 14:51 index-0
-rw-r--r--. 1 elasticsearch elasticsearch 8 Apr 7 14:51 index.latest
-rw-r--r--. 1 elasticsearch elasticsearch 29 Apr 7 14:51 incompatible-snapshots
I made sure elasticsearch.yml still has the "data.repo" tag, so I'm not sure where to look or what to do to determine what happened, but somehow my snapshots vanished!
You need to add following line to elasticsearch.yml:
path.repo: ["/tmp/elasticsearch-backup"]
Then restart Elastic service and create a new snapshots repository:
curl -XPUT "http://localhost:92000/_snapshot/backup" -H 'Content-Type: application/json' -d '{
"type": "fs",
"settings": {
"location": "/tmp/elasticsearch-backup",
"compress": true
}
}'
Now you should be able to list all snapshots in your repository and eventually restore them:
curl -s -XGET "localhost:9200/_snapshot/backup/_all" | jq .
I have an elasticdump command in a bash file
#!/bin/bash
elasticdump \
--input=url would be here/datalayer \
--output=weownit_data/datalayer_now.json \
--searchBody '{"query": {"filtered": {"query": {
"match_all" : {}},"filter": {"bool": {"must": [{"numeric_range": {"timestamp": {"gte": 1434499493}}},{"type" : {"value" : "event2"}}]}}}}}'
The command works normally if I run it by itself. The bash file works normally if I run it by itself, both of these download 200,000 records.
My crontab looks like the following
0 2 * * * /home/woibasic/projects/all_since_jun172015.bash > /home/woibasic/projects/logging/elasticsearch.log
When I look at elasticsearch.log it shows the following
Fri, 26 Jun 2015 02:00:02 GMT | starting dump
Fri, 26 Jun 2015 02:00:02 GMT | got 100 objects from source elasticsearch (offset: 0)
So the question really is, why is it stopping at 100 objects, it seems like cron is shutting down too soon for some reason.
I'm having an ec2 linux server, and am tracking the logs of my application server using rsyslog so that I can push these logs to loggly.
The problem is, rsyslog is also logging these in /var/log/messages which I don't want. Is there any way to avoid this? Can I filter out certain messages in /etc/rsyslog.conf so that these are not pushed to var/log/messages?
****** UPDATE *******
I tried adding the following lines in rsyslog.conf:
if $programname == 'programName' then {
*.err /var/log/messages
} else {
*.info;mail.none;authpriv.none;cron.none /var/log/messages
}
However, upon restarting rsyslog, I see the following error:
Dec 11 08:01:46 <hostname> rsyslogd: the last error occured in /etc/rsyslog.conf, line 37:"if $programname == 'programName' then {"
Dec 11 08:01:46 <hostname> rsyslogd: warning: selector line without actions will be discarded
Dec 11 08:01:46 <hostname> rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Dec 11 08:01:46 <hostname> rsyslogd: the last error occured in /etc/rsyslog.conf, line 39:"} else {"
Dec 11 08:01:46 <hostname> rsyslogd: warning: selector line without actions will be discarded
Dec 11 08:01:46 <hostname> rsyslogd-3000: unknown priority name "" [try http://www.rsyslog.com/e/3000 ]
Dec 11 08:01:46 <hostname> rsyslogd: the last error occured in /etc/rsyslog.conf, line 41:"}"
Dec 11 08:01:46 <hostname> rsyslogd: warning: selector line without actions will be discarded
I suppose my version of rsyslog (5.8.10) doesn't support if / else. Is there any other way to do this?
Thanks.
first send the message to the file that you want.
then use stop to prevent further actions.
if $programname == 'apache2' then {
action(type="omfile" file="/var/log/apache2/rewrite.log" name="action-omfile-apache2-rewrite")
stop
}
Is anyone of you familiar with Dropbox Uploader (https://github.com/andreafabrizi/Dropbox-Uploader) or UNIX sed command.
I would like to get this script to work so it would return an sorted list from dropbox based on modified date.
Command ./droptobox list Test outputs:
Listing "/Test"... DONE
[F] config.bmp
[F] igs.bin
If to do some modifications to script (echoing out $DIR_CONTENT), I can see from the output that there certainly is information I need.
{"revision": 37, "rev": "2514cf1330", "thumb_exists": true, "bytes": 824, "modified": "Thu, 07 Nov 2013 16:14:59 +0000", "client_mtime": "Thu, 07 Nov 2013 16:14:59 +0000", "path": "/Test/config.bmp", "is_dir": false, "icon": "page_white_picture", "root": "dropbox", "mime_type": "image/x-ms-bmp", "size": "824 bytes"}
{"revision": 38, "rev": "2614cf1330", "thumb_exists": false, "bytes": 86, "modified": "Thu, 07 Nov 2013 16:15:18 +0000", "client_mtime": "Thu, 07 Nov 2013 16:15:18 +0000", "path": "/Test/igs.bin", "is_dir": false, "icon": "page_white", "root": "dropbox", "mime_type": "application/octet-stream", "size": "86 bytes"}], "size": "0 bytes"}
I suppose this is the line that responsible for it:
echo "$DIR_CONTENT" | sed -n 's/.*"path": *"\([^"]*\)",.*"is_dir": *\([^"]*\),.*/\1:\2/p' > $RESPONSE_FILE
The problem is that I ain't that familiar with sed, if I try to do some modifications I won't get any output.
Modified line (have no idea if I'm moving in right direction):
echo "$DIR_CONTENT" | sed -n 's/.*"path": *"\([^"]*\)",.*"is_dir": *\([^"]*\),.*"modified": *\([^"]*\),.*/\1:\2\3/p' > $RESPONSE_FILE
But ideally would it be possible to get it to display modified information and sort the results based on it?
Also other part of the db_list function:
#For each line...
while read -r line; do
local FILE=${line%:*}
FILE=${FILE##*/}
local TYPE=${line#*:}
if [[ $TYPE == "false" ]]; then
echo -ne " [F] $FILE\n"
else
echo -ne " [D] $FILE\n"
fi
done < $RESPONSE_FILE
Two things I see:
The "is_dir" value is a boolean and does not have quotes, so change
"is_dir": *\([^"]*\),
to
"is_dir": *\([^,]*\),
"modified" occurs before "path", so you need to write (accounting for quotes as well):
echo "$DIR_CONTENT" | sed -n 's/.*"modified": *"\([^"]*\)",.*"path": *"\([^"]*\)",.*"is_dir": *\([^,]*\),.*/\2:\3 \1/p' > $RESPONSE_FILE
Also, bash has a handy "here-string" feature, so you don't need to "echo"
sed -n '...' <<< "$DIR_CONTENT" > "$RESPONSE_FILE"