Logstash-grok unable to identify process from `ps -ef/cmdline/metricbeat`

I’ve used MetricBeat6.1 with Logstash6.1-grok.


This is a grok attempt to identify all the processes and categorize them. These are mainly Identified [java_apps],[unidentified_java_apps] and [general unidentified apps] using the system.process.cmdline from metricbeat. But its all appearing as getting themselves tagged as 'Unidentified'.
grok {
match => {"system.process.cmdline" => [
"^%{GREEDYDATA:datanode} org.apache.hadoop.hdfs.server.datanode.DataNode$",
"^%{GREEDYDATA:ambari_server} org.apache.ambari.server.controller.AmbariServer$",
"^%{GREEDYDATA:unidentified_java}/bin/java%{GREEDYDATA}$",
"^%{GREEDYDATA:unidentified}$"
]}
} if [datanode] {
mutate {
replace => { "message" => "%{datanode}" }
add_tag => ["DataNode"]
}
} else if [ambari_server] {
mutate {
replace => { "message" => "%{ambari_server}" }
add_tag => ["Ambari_server"]
}
} else {
mutate {
add_tag => ["Unidentified"]
}
}
}
Am I supposed to use:
  • "system.process.cmdline" ?
  • "[@Janeesh][system][process][cmdline]"
  • "[_source][system][process][cmdline]"

answered by Grok filter not working

[system][process][cmdline]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.