Field/value extraction with ELK

Question

I have an industrial system producing log files where some of the lines look like this:

component1 v1 component2 v2 component3 v3 ...

Where vx is a numerical value (eg. 3.14159).

I'm running a super basic ELK stack and I would like to extract these as field/value.

I don't know how/where to attack the problem. Is that a logstash configuration that should be done to extract fields from single lines ?

Is Grok the answer to my problem? – Cedric H. Oct 09 '16 at 01:28 — Cedric H., Oct 09 '16 at 01:28

score 1 · Answer 1 · answered Oct 24 '16 at 01:51

1

That's evil.

The kv filter won't work here, because the key=value separator is the same as the one separating the tuples.

IF the lines are consistent, grok may be your saving grace. But if the order of the components change, that gets very tricky, very quickly.

^{WORD:component1} {%BASE10NUM:component1_val}...

answered Oct 24 '16 at 01:51

sysadmin1138

I agree with the evil part! It got ELK working with space being the separator for both, but it breaks if the line is perfectly regular. – Cedric H. Oct 24 '16 at 08:08

1 Answers1