Sidehistorik
...
As I have ensure logs are key=value for the values I need to collect, I use "kv" to get the fields, and a mutate to ensure the string for "pingtime" becomes a float (otherwise it cant be used in a Visualization):
| Kodeblok | ||
|---|---|---|
| ||
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
else
{
if [type] == "pinglog" {
kv {}
mutate {
convert => { "pingtime" => "float" }
}
}
}
} |
...