Custom grok filter for logstash - elastic-stack

I have a log file as below which I need to parse using grok filter. Please guide me on what will be the filter
log
id:twsoper AIX230
JOB:load_data /jobs/system/load_data.bat 2017-05-14
trying to connect to database
connected to database Target_DB
Expected Filter
ID: twsoper
server : AIX230
Date : 2017-05-14
database : Target_DB

When working with grok you need to know regex (for pattern matching).
Also, you need to play around with the pattern before you put it into logstash, for that here are some online pattern testers
https://grokdebug.herokuapp.com/
http://grokconstructor.appspot.com/do/match.
Now on to your example. Assuming all of these are individual lines within the file, you are going to end up with a document in elastic search for all of these. Unless you look into multiline in filebeat or logstash to merge multiple lines into one single message.
filter {
grok {
# get the entire message
match => ["message", "%{GREEDYDATA:message}"]
overwrite => [ "message" ]
# get ID and server
match => ["message", "id:%{WORD:ID}\s+%{WORD:server}"]
# get Date
match => ["message", "JOB.+%{DATE:Date}"]
#get database
match => ["message", "connected to database %{WORD:database}"]
}
}
if you do not want to use multiline, you will need if statements to match messages and then match fields, like so:
filter {
#if line starts with id
if [message] =~ /^id/ {
grok {
# get ID and server
match => ["message", "id:%{WORD:ID}\s+%{WORD:server}"]
}
#if line starts with JOB
if [message] =~ /^JOB/ {
grok {
# get Date
match => ["message", "JOB.+%{DATE:Date}"]
}
.
.
.
.
}

Related

Attempt to access upserted_id property in perl MongoDB Driver returns useless HASH(0x3572074)

I have a Perl script that pulls a table from a SQL database ($row variable) and attempts to do a MongoDB update like so:
my $res = $users->update({"meeting_id" => $row[0]},
{'$set' => {
"meeting_id" => $row[0],
"case_id" => $row[1],
"case_desc" => $row[2],
"date" => $row[3],
"start_time" => $row[4],
"end_time" => $row[5],
#"mediator_LawyerID" => $row[6],
"mediator_LawyerIDs" => \#medLawIds,
"case_number" => $row[6],
"case_name" => $row[7],
"location" => $row[8],
"number_of_parties" => $row[9],
"case_manager" => $row[10],
"last_updated" => $row[11],
"meeting_result" => $row[12],
"parties" => \#partyList
}},
{'upsert' => 1}) or die "I ain't update!!!";
My client now wants ICS style calendar invites sent to their mediators. Thus, I need to know whether an update or insert happened. The documentation for MongoDB::UpdateResult implies that this is how you access such a property:
my $id = $res->upserted_id;
So I tried:
bless ($res,"MongoDB::UpdateResult");
my $id = $res->upserted_id;
After this code $id is like:
HASH(0x356f8fc)
Are these the actual IDs? If so, how do I convert to a hexadecimal string that can be cast to Mongo's ObjectId type? It should be noted I know absolutely nothing about perl; if more of the code is relevant, at request I will post any section ASAP. Its 300 lines so I didn't want to include the whole file off the bat.
EDIT: I should mention before anyone suggests this that using update_one instead of update returns the exact same result.
HASH(0x356f8fc) is a Perl Hash reference. It's basically some kind of (internal) memory address of some data.
The easiest way to get the contents is Data::Dumper:
use Data::Dumper
[...]
my $result = $res->upserted_id;
print Dumper($result);
HASH(0x356f8fc) is just the human readable representation of the real pointer. You must dump it in the same process and can't pass it from one to another.
You'll probably end up with something like
`my $id = $result->{_id};`
See the PerlRef manpage for details.
See also the MongoDB documentation about write concern.
PS: Also remember that you could use your own IDs for MongoDB. You don't need to work with the generated ones.

Getting at XML tree data in perl

I need to parse an XML file using perl which I can load the file using the XML::Simple module but within the XML tree there is a tag that I can't see using the DataDumper module but I can see it's value instead.
<testcase id="10">
.
.
.
</testcase>
Above is a Sample of the XML file with the testcase tag. It's the part that I have difficulty with. Using DataDumper to view the contents of the array I see something like this:
$VAR1 = {
'testcases' => {
'file' => 'testcases.xml',
'testcase' => {
'10' => {
},
Since the XML is defined like why isn't it layed out in the VAR1 array with the id included? Instead of expecting testcases->testcase->id I get testcases->testcase->10. Which 10 is the id but what happened to the 'id' tag?
That's because the default config includes
KeyAttr => [qw( name key id )]
Specifying
KeyAttr => []
will cause id to be no different than any other attribute.

Query Jenkins for job list using a perl script

I am not sure if this question is a duplicate or not but I cannot find any example of how one would do this. Is there any way we can query jenkins for the list of jobs. I have tried using the Jenkins::API that cpan provides but $jenkins->current_status()->jobs() returns a list of hash values. I am not sure if i am supposed to somehow translate these to readable jobs in english. Any tips??
Have a look at http://metacpan.org/pod/Jenkins::API.
$jenkins->current_status() does indeed return hash values. Each job hash contains keys 'color','name', and 'url'. But they are nested in a list at several levels. I found Data::Dumper helpful in seeing the full structure.
current_status
Returns the current status of the server as returned by the API. This is a hash containing a fairly comprehensive list of what's going on.
$jenkins->current_status();
# {
# 'assignedLabels' => [
# {}
# ],
# 'description' => undef,
# 'jobs' => [
# {
# 'color' => 'blue',
# 'name' => 'Jenkins-API',
# 'url' => 'http://jenkins:8080/job/Jenkins-API/'
# },
# ...
# ]
Example:
use Jenkins::API;
$jenkins = Jenkins::API->new({ base_url => 'http://localhost:8080' });
#statuses = $jenkins->current_status();
for ($i = 0;$i <= $#{$statuses[0]{'jobs'}};$i++) {
print $statuses[0]{'jobs'}[$i]{'name'},"\n";
}

Perl Dancer and defining routes with named parameters and nested prefixes

Recently I have been working with Dancer to create a application, but I am having difficulties figuring out how to define the routes.
package MyApp;
use Dancer ':syntax';
our $VERSION = '0.1';
# Base for routing of requests
# Match against /:validate
any '/:validate' => sub {
# This assumes we can stop the routing here
# validate the request param in the url string
# against a regex and 'pass' the request to a
# specific route with the 'var' option
var validate => params->{validate};
.....
# Validation works and dancer passes successfully
pass();
};
# This is the part that is not working
prefix '/info' => sub {
..... # does stuff
}; ## back to the root
In the dancer logs for the pass:
[25561] core #0.001133> [hit #1]Last matching route passed! in
/usr/local/share/perl5/Dancer/Route.pm l. 216
In the dancer logs for anything after the pass:
[25781] core #0.001524> [hit #4]Trying to match 'GET /11121/info/'
against /^/info$/ (generated from '/info') in
/usr/local/share/perl5/Dancer/Route.pm l. 84 [25781] core #0.002041>
[hit #4]response: 404 in /usr/local/share/perl5/Dancer/Handler.pm l.
179
It is probably something simple I am missing, but I have not had any luck so far. Any help is greatly appreciated.
EDIT I did notice I was using prefix incorrectly so I fixed that and I apologize for the bad explanation. In a nut shell the first part of the url localhost:3000/12/ for example is a database record. All routes are build on that record being the first part of the url string so I want to validate it prior to going any further into the routes.
I was able to setup a before hook which grabs it and can work with the params hash, but it is getting a 500 error on non-matching patterns currently.
hook before => sub {
my $route_handler = shift;
var record => params->{record};
my $record = var 'record';
while ($record !~ m/^ID[\-]\d{3,6}$/) { # Check for valid ID
if ($record =~ m/^\d{3,6}$/) { # Works currently
$record = 'ID-'.$record;
}else {forward "/error"}; # this = 500 ISE error
}
};
I tried a forward and send_error but both generate an ISE and Dancer reports this on the last entry in the log:
29661] core #0.001048> [hit #2]entering before hook in
/usr/local/share/perl5/Dancer/Hook.pm l. 58
Any help is greatly appreciated, also an edit to make my question more clear is welcomed.
That is not what prefix does. Prefix is used to declare the prefix of the routes in the current package.
prefix '/users';
get '/' => sub { ... }; # matches /users
post '/add' => sub { ... }; # matches /users/add
get '/view/:id' => sub { ... }; # matches /users/view/123
I haven't worked with Dancer at all, but from the Dancer::Introduction docs, it looks like you also have to define a route inside the prefix /info. Try with:
# This is the part that is not working
prefix '/info' => sub {
get '/' => sub {
..... # does stuff
}
}; ## back to the root

Match any GET path with Mojolicious::Lite

I’d like to match any GET request in Mojolicious::Lite. The code looks like this:
get '.*' => sub {
my $self = shift;
$self->render(text => 'Nothing to see here, move along.');
};
This dies with “Modification of non-creatable array value attempted” at MojoX::Routes::Pattern.pm, line 301. I tried other arguments to get, like qr//. That works for /, but does not match /foo. I also tried to peek at the source, but I’m none the wiser. Are you?
I think you want:
get '/(*restofpath)' => ...
(The restofpath is a name that will allow you to retrieve the actual pathname later, should you need it...). For more details, look at the documentation for wilcard placeholders.