AIX Insight pack issue

Hi

I have installed aix insight pack and while ingesting aix err report in log analysis 1.3.3.1 i seeing all entries showing up in scala_logstash_failures log. In LA data source i m seeing all values like “-“.

Initially i was using out of the box provided conf file and had edited values to suit my environment. But i was getting error with format of text so had to add

codec => plain {
charset => “ISO-8859-1”
}

Here is my conf file statement. ( i m only pasting partial file)

######################################################### {COPYRIGHT-END} ###
# AIXErrorInsightPack_v1.1.0.0 (201602050850)

input {
file {
type => “BlueMedoraAIXError”
path => [“/home/myuser/aix/logs/*.log”]
codec => plain {
charset => “ISO-8859-1”
}
start_position => “beginning”
} # end file
} # end AIXErrorInsightPack input

filter {
if [type] == “BlueMedoraAIXError” {

# Comment out this mutate if you do preprocessing to add optional log consolidation fields:
# …;ENVIRONMENTNAME;HOSTNAME;FUNCTIONALNAME;INSTANCE;LOGNAME
mutate {
replace => [“message”, “%{message};;;;;”]
}

grok {
patterns_dir => “/home/myuser/LogAnalysis/Logstash/logstash-2.2.1/logstash-scala/logstash/patterns”
match => [ “message”, “(%{AIX_ERROR}|%{ERROR_HEADER:error_header})” ]
add_tag => [ “grokked”, “error” ]
add_field => [ “subtype”, “error” ]
} # end grok

if “error” in [tags] {
if [error_header] {
drop { }
} # end if – else
} # end if

if “grokked” in [tags] {
mutate {
add_field => [ “log_type”, “Error” ]
add_field => [ “log_subtype”, “%{subtype}” ]
add_field => [ “log_host”, “%{host}” ]
add_field => [ “log_path”, “%{path}” ]
} # end mutate
} # end grokked condition

mutate {
replace => [ “host”, “AIX”, “path”, “Error”]
add_tag => [ “AIX_Error-Final” ]
} #end mutate

} # end type

} # end AIXErrorInsightPack filter

output {
if [type] == “BlueMedoraAIXError” {
if “ignore” in [tags] {
file {
message_format => “%{message} | TAGS: %{tags} | path: %{path}”
path => “/home/myuser/LogAnalysis/Logstash/logs/scala_logstash_ignores.log”
} # end file
} else if “_grokparsefailure” in [tags] {
file {
message_format => “%{message} | TAGS: %{tags} | path: %{path} | PROCESS TIME: %{@timestamp}”
path => “/home/myuser/LogAnalysis/Logstash/logs/scala_logstash_failures.log”
} # end file
} # end ignore and _grokparsefailure tests
}

I guess there is some issue with match statement.

match => [ “message”, “(%{AIX_ERROR}|%{ERROR_HEADER:error_header})” ]

Am i missing anything ? Or AIX err report needs to be in some particular format ?

Related:

Leave a Reply