add basic grok processor functionality #44215

rpasche · 2025-05-06T06:13:26Z

Proposed commit message

This PR adds a grok processor to beats. Mainly, this might only be used within filebeat to parse logfiles the same way, that logstash or the grok processor within an ingest pipeline is doing it.

Please explain:

The goal is to have more flexibility and ability to parse a log file already on the client side, where filebeat might be running, instead of relying on a logstash or elasticsearch ingest pipeline to do the parsing.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Possible impact while using this processor is that a final mapping on the final elasticsearch index might not match and therefore might cause an index mapping conflict.

Depending on the number of log entries to parse and the complexity of the grok patterns, CPU and memory usage might increase significantly.

Author's Checklist

I truly need help to write tests. Also requesting some hints, how this processor might be further improved. Maybe to add tags (if parsing fails)

I also need to fully confirm the ingestion into a running demo elasticsearch cluster. So far, I was only able to see the events from the internal filebeat /logs directly, how they should look. I will try to do this today.

How to test this PR locally

This is described in the corresponding ascii docs.

Related issues

Closes [Filebeat] Add grok Processor as native beat/filebeat processor #30073

Use cases

You do not need to maintain the ingest pipelines on elasticsearch itself and allows proper parsing already on the client side

Screenshots

Logs

./filebeat -e -d '*'
{"log.level":"info","@timestamp":"2025-05-06T15:04:05.785+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":1052},"message":"Home path: [/Users/I561014/go/src/github.com/elastic/beats/filebeat] Config path: [/Users/I561014/go/src/github.com/elastic/beats/filebeat] Data path: [/Users/I561014/go/src/github.com/elastic/beats/filebeat/data] Logs path: [/Users/I561014/go/src/github.com/elastic/beats/filebeat/logs]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:05.785+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":1176},"message":"Beat metadata path: /Users/I561014/go/src/github.com/elastic/beats/filebeat/data/meta.json","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:05.794+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":1060},"message":"Beat ID: 18da9fbc-207f-46af-8bdb-16995551fb85","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2025-05-06T15:04:06.151+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":1075},"message":"unable to lookup FQDN: could not get FQDN, all methods failed: failed looking up CNAME: lookup MQWLD9W6PP on 10.17.220.88:53: no such host: failed looking up IP: lookup MQWLD9W6PP: no such host, using hostname = MQWLD9W6PP as FQDN","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.153+0200","log.logger":"processors","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/processors.New","file.name":"processors/processor.go","file.line":113},"message":"Generated new processors: grok","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.154+0200","log.logger":"seccomp","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/common/seccomp.loadFilter","file.name":"seccomp/seccomp.go","file.line":97},"message":"Syscall filtering is only supported on Linux","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.154+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":558},"message":"Setup Beat: filebeat; Version: 9.1.0 (FIPS-distribution: false)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.154+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).logSystemInfo","file.name":"instance/beat.go","file.line":1612},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"/Users/I561014/go/src/github.com/elastic/beats/filebeat","data":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/data","home":"/Users/I561014/go/src/github.com/elastic/beats/filebeat","logs":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/logs"},"type":"filebeat","uuid":"18da9fbc-207f-46af-8bdb-16995551fb85"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.154+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).logSystemInfo","file.name":"instance/beat.go","file.line":1621},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"bf2e6931023480fda956d1ed62dee54bb98bfc60","libbeat":"9.1.0","time":"2025-05-06T09:38:33.000Z","version":"9.1.0"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.154+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).logSystemInfo","file.name":"instance/beat.go","file.line":1624},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"darwin","arch":"arm64","max_procs":12,"version":"go1.24.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.155+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).logSystemInfo","file.name":"instance/beat.go","file.line":1630},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"arm64","native_architecture":"arm64","boot_time":"2025-04-22T12:08:40.009663+02:00","name":"MQWLD9W6PP","ip":["127.0.0.1","::1","fe80::1","fe80::145e:bc80:e9c6:40b7","2a02:810c:892:6a00:87c:251c:f984:4c3a","192.168.30.207","2a02:810c:892:6a00:145e:bc80:e9c6:40b7","2a02:810c:892:6a00:2992:3b14:9d91:198f","2a02:810c:892:6a00:b02e:85d5:11d6:a736","2a02:810c:892:6a00:55d0:2085:4552:c4d2","2a02:810c:892:6a00:2ca0:d0b:facc:ae9d","2a02:810c:892:6a00:8949:2e5:688c:41b","2a02:810c:892:6a00:5031:d6cf:b28b:afe4","2a02:810c:892:6a00:3190:c9c9:649d:1d1d","fe80::bc2a:e5ff:fea3:2ce2","fe80::bc2a:e5ff:fea3:2ce2","fe80::5cb4:14c9:57ef:bfd","fe80::6c18:210f:2aeb:af1d","fe80::ccca:b99d:411c:4a61","fe80::ce81:b1c:bd2c:69e","10.177.84.24"],"kernel_version":"24.4.0","mac":["d2:b0:6e:80:52:78","d2:b0:6e:80:52:76","d2:b0:6e:80:52:77","d2:b0:6e:80:52:56","d2:b0:6e:80:52:57","d2:b0:6e:80:52:58","36:0f:25:13:5a:c0","36:0f:25:13:5a:c4","36:0f:25:13:5a:c8","36:0f:25:13:5a:c0","7e:f5:5c:cc:e8:4c","82:73:31:b0:bf:26","be:2a:e5:a3:2c:e2","be:2a:e5:a3:2c:e2","00:50:b6:ec:83:c3"],"os":{"type":"macos","family":"darwin","platform":"darwin","name":"macOS","version":"15.4.1","major":15,"minor":4,"patch":1,"build":"24E263"},"timezone":"CEST","timezone_offset_sec":7200,"id":"95B35F89-5364-50C6-A145-231201054AC5"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.155+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).logSystemInfo","file.name":"instance/beat.go","file.line":1659},"message":"Process info","service.name":"filebeat","system_info":{"process":{"cwd":"/Users/I561014/go/src/github.com/elastic/beats/filebeat","exe":"./filebeat","name":"filebeat","pid":84360,"ppid":82702,"start_time":"2025-05-06T15:04:05.743+0200"},"ecs.version":"1.6.0"}}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.156+0200","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":587},"message":"Initializing output plugins","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.160+0200","log.logger":"elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.makeES","file.name":"elasticsearch/elasticsearch.go","file.line":56},"message":"Applying performance preset 'balanced': {\n  \"bulk_max_size\": 1600,\n  \"compression_level\": 1,\n  \"idle_connection_timeout\": \"3s\",\n  \"queue\": {\n    \"mem\": {\n      \"events\": 3200,\n      \"flush\": {\n        \"min_events\": 1600,\n        \"timeout\": \"10s\"\n      }\n    }\n  },\n  \"worker\": 1\n}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.161+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":132},"message":"elasticsearch url: https://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2025-05-06T15:04:06.161+0200","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.161+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run","file.name":"pipeline/consumer.go","file.line":110},"message":"start pipeline event consumer","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.161+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*queueReader).run","file.name":"pipeline/queue_reader.go","file.line":49},"message":"pipeline event consumer queue reader: start","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.161+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: MQWLD9W6PP","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"modules","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/fileset.newModuleRegistry","file.name":"fileset/modules.go","file.line":135},"message":"Enabled modules/filesets: ","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).snapshotLoop","file.name":"log/log.go","file.line":150},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.162+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":759},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isFile","file.name":"registrar/migrate.go","file.line":288},"message":"isFile(/Users/I561014/go/src/github.com/elastic/beats/filebeat/data/registry) -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isFile","file.name":"registrar/migrate.go","file.line":288},"message":"isFile() -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isDir","file.name":"registrar/migrate.go","file.line":281},"message":"isDir(/Users/I561014/go/src/github.com/elastic/beats/filebeat/data/registry/filebeat) -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Migrator).Run","file.name":"registrar/migrate.go","file.line":83},"message":"Registry type '' found","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.162+0200","log.logger":"test","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.isFile","file.name":"registrar/migrate.go","file.line":288},"message":"isFile(.bak) -> false","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"filebeat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/statestore/backend/memlog.openStore","file.name":"memlog/store.go","file.line":134},"message":"Finished loading transaction log file for '/Users/I561014/go/src/github.com/elastic/beats/filebeat/data/registry/filebeat'. Active transaction id=0","service.name":"filebeat","store":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).loadStates","file.name":"registrar/registrar.go","file.line":103},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":72},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput","file.name":"beater/crawler.go","file.line":118},"message":"starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.id filebeat.inputs.0.paths.0 filebeat.inputs.0.type]","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).Run","file.name":"registrar/registrar.go","file.line":134},"message":"Starting Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"scanner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.newFileScanner","file.name":"filestream/fswatch.go","file.line":311},"message":"fingerprint mode enabled: offset 0, length 1024","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"scanner","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileScanner).resolveRecursiveGlobs","file.name":"filestream/fswatch.go","file.line":334},"message":"recursive glob enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.172+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.newProspector","file.name":"filestream/prospector_creator.go","file.line":57},"message":"file identity is set to fingerprint","service.name":"filebeat","filestream_id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"input.filestream.prospector","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileProspector).Init","file.name":"filestream/prospector.go","file.line":135},"message":"trying to migrate file identity to fingerprint","service.name":"filebeat","filestream_id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).startInput","file.name":"beater/crawler.go","file.line":149},"message":"Starting input (ID: 7184716629260632359)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1","file.name":"compat/compat.go","file.line":137},"message":"Input 'filestream' starting","service.name":"filebeat","id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Check","file.name":"cfgfile/reload.go","file.line":131},"message":"Checking module configs from: /Users/I561014/go/src/github.com/elastic/beats/filebeat/modules.d/*.yml","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"input.filestream.metric_registry","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/inputmon.NewMetricsRegistry","file.name":"inputmon/input.go","file.line":145},"message":"registering","service.name":"filebeat","id":"my-filestream-id","registry_id":"my-filestream-id","input_id":"my-filestream-id","input_type":"filestream","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileProspector).Run","file.name":"filestream/prospector.go","file.line":284},"message":"Starting prospector","service.name":"filebeat","id":"my-filestream-id","prospector":"file_prospector","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":125},"message":"Start next scan","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":229},"message":"File scan complete","service.name":"filebeat","total":1,"written":0,"truncated":0,"renamed":0,"removed":0,"created":1,"ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Check","file.name":"cfgfile/reload.go","file.line":145},"message":"Number of module configs found: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":107},"message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileProspector).onFSEvent","file.name":"filestream/prospector.go","file.line":330},"message":"A new file /Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log has been found","service.name":"filebeat","id":"my-filestream-id","prospector":"file_prospector","operation":"create","source_name":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","fingerprint":"1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","os_id":"27696711-16777233","new_path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Run","file.name":"cfgfile/reload.go","file.line":163},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Run","file.name":"cfgfile/reload.go","file.line":193},"message":"Scan for new config files","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Run","file.name":"cfgfile/reload.go","file.line":212},"message":"Number of module configs found: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader.reload","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*RunnerList).Reload","file.name":"cfgfile/list.go","file.line":91},"message":"Starting reload procedure, current runners: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader.reload","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*RunnerList).Reload","file.name":"cfgfile/list.go","file.line":109},"message":"Start list: 0, Stop list: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile.(*defaultHarvesterGroup).Start","file.name":"input-logfile/harvester.go","file.line":140},"message":"Starting harvester for file","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Run","file.name":"cfgfile/reload.go","file.line":223},"message":"error '<nil>' cannot retried. Modify any input file to reload.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.173+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Run","file.name":"cfgfile/reload.go","file.line":229},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.174+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*filestream).open","file.name":"filestream/input.go","file.line":207},"message":"newLogFileReader with config.MaxBytes:10485760","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","state-id":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:06.174+0200","log.logger":"detect_null_bytes","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/reader/debug.(*Reader).Read","file.name":"debug/debug.go","file.line":95},"message":"Starting debug reader with a buffer size of 16384 and max failures of 100","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:06.193+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*logFile).Read","file.name":"filestream/filestream.go","file.line":131},"message":"End of file reached: /Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log; Backoff now.","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","state-id":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:08.194+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*logFile).Read","file.name":"filestream/filestream.go","file.line":131},"message":"End of file reached: /Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log; Backoff now.","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","state-id":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:12.195+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*logFile).Read","file.name":"filestream/filestream.go","file.line":131},"message":"End of file reached: /Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log; Backoff now.","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","state-id":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.174+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":125},"message":"Start next scan","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.174+0200","log.logger":"file_watcher","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileWatcher).watch","file.name":"filestream/fswatch.go","file.line":229},"message":"File scan complete","service.name":"filebeat","total":1,"written":0,"truncated":0,"renamed":0,"removed":0,"created":0,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.176+0200","log.logger":"publisher_pipeline_output","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run","file.name":"pipeline/client_worker.go","file.line":138},"message":"Connecting to backoff(elasticsearch(https://localhost:9200))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.176+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":303},"message":"ES Ping(url=https://localhost:9200)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2025-05-06T15:04:16.176+0200","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.190+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2","file.name":"transport/logging.go","file.line":43},"message":"Completed dialing successfully","service.name":"filebeat","network.transport":"tcp","server.address":"localhost:9200","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.194+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":322},"message":"Ping status code: 200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.194+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":323},"message":"Attempting to connect to Elasticsearch version 8.17.4 (default)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.194+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":380},"message":"GET https://localhost:9200/_license?human=false  <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.197+0200","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.(*indexManager).Setup","file.name":"idxmgmt/index_support.go","file.line":254},"message":"Auto lifecycle enable success.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.197+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":380},"message":"GET https://localhost:9200/_ilm/policy/filebeat  <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.203+0200","log.logger":"index-management.ilm","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt/lifecycle.(*stdManager).EnsurePolicy","file.name":"lifecycle/standard_manager.go","file.line":111},"message":"lifecycle policy filebeat exists already.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.204+0200","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.applyLifecycleSettingsToTemplate","file.name":"idxmgmt/index_support.go","file.line":402},"message":"Set settings.index.lifecycle.name in template to filebeat as ILM is enabled.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.204+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":380},"message":"HEAD https://localhost:9200/_index_template/filebeat-9.1.0  <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.209+0200","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).Load","file.name":"template/load.go","file.line":121},"message":"Template \"filebeat-9.1.0\" already exists and will not be overwritten.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.209+0200","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.(*indexManager).Setup","file.name":"idxmgmt/index_support.go","file.line":299},"message":"Loaded index template.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.209+0200","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":380},"message":"GET https://localhost:9200/  <nil>","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:16.211+0200","log.logger":"publisher_pipeline_output","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run","file.name":"pipeline/client_worker.go","file.line":146},"message":"Connection to backoff(elasticsearch(https://localhost:9200)) established","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.320+0200","log.logger":"elasticsearch.elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).doBulkRequest","file.name":"elasticsearch/client.go","file.line":303},"message":"doBulkRequest: 53 events have been sent to elasticsearch in 108.932167ms.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.320+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.(*ackLoop).handleBatchSig","file.name":"memqueue/ackloop.go","file.line":80},"message":"ackloop: return ack to broker loop:53","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:16.320+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue.(*ackLoop).handleBatchSig","file.name":"memqueue/ackloop.go","file.line":82},"message":"ackloop:  done send ack","service.name":"filebeat","ecs.version":"1.6.0"}
^C{"log.level":"info","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"service","log.origin":{"function":"github.com/elastic/elastic-agent-libs/service.HandleSignals.func1","file.name":"service/service.go","file.line":52},"message":"Received signal \"interrupt\", stopping","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*Pipeline).Close","file.name":"pipeline/pipeline.go","file.line":166},"message":"close pipeline","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*queueReader).run","file.name":"pipeline/queue_reader.go","file.line":68},"message":"pipeline event consumer queue reader: stop","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.401+0200","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*Filebeat).Stop","file.name":"beater/filebeat.go","file.line":538},"message":"Stopping filebeat","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Stop","file.name":"beater/crawler.go","file.line":156},"message":"Stopping Crawler","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Stop","file.name":"beater/crawler.go","file.line":166},"message":"Stopping 1 inputs","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"crawler.module.reloader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cfgfile.(*Reloader).Run","file.name":"cfgfile/reload.go","file.line":231},"message":"Dynamic config reloader stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Stop.func2","file.name":"beater/crawler.go","file.line":171},"message":"Stopping input: 7184716629260632359","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*filestream).Run.func1","file.name":"filestream/input.go","file.line":161},"message":"Closing reader of filestream","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","state-id":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*filestream).readFromSource","file.name":"filestream/input.go","file.line":369},"message":"Reader was closed. Closing. Path='/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log'","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","path":"/Users/I561014/go/src/github.com/elastic/beats/filebeat/haproxy.log","state-id":"fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*client).Close","file.name":"pipeline/client.go","file.line":137},"message":"client: closing acker","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*client).Close","file.name":"pipeline/client.go","file.line":142},"message":"client: done closing acker","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*client).Close","file.name":"pipeline/client.go","file.line":144},"message":"client: close queue producer","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*client).Close","file.name":"pipeline/client.go","file.line":147},"message":"client: done producer close","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*client).Close","file.name":"pipeline/client.go","file.line":150},"message":"client: closing processors","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*client).Close","file.name":"pipeline/client.go","file.line":155},"message":"client: done closing processors","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.401+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile.startHarvester.func1","file.name":"input-logfile/harvester.go","file.line":250},"message":"Stopped harvester for file","service.name":"filebeat","id":"my-filestream-id","source_file":"filestream::my-filestream-id::fingerprint::1e41174870f9cde0921bbf02e6f5b4b615bb415f0ef2da3a435ab33f17599b8b","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/filestream.(*fileProspector).Run","file.name":"filestream/prospector.go","file.line":316},"message":"Prospector has stopped","service.name":"filebeat","id":"my-filestream-id","prospector":"file_prospector","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1","file.name":"compat/compat.go","file.line":168},"message":"Input 'filestream' stopped (goroutine)","service.name":"filebeat","id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"input.filestream.metric_registry","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/inputmon.CancelMetricsRegistry","file.name":"inputmon/input.go","file.line":161},"message":"unregistering","service.name":"filebeat","id":"my-filestream-id","registry_id":"my-filestream-id","input_id":"my-filestream-id","input_type":"filestream","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Stop","file.name":"compat/compat.go","file.line":176},"message":"Input 'filestream' stopped (runner)","service.name":"filebeat","id":"my-filestream-id","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Stop","file.name":"beater/crawler.go","file.line":186},"message":"Crawler stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).Stop","file.name":"registrar/registrar.go","file.line":126},"message":"Stopping Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).Run","file.name":"registrar/registrar.go","file.line":162},"message":"Ending Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).Run","file.name":"registrar/registrar.go","file.line":163},"message":"Stopping Registrar","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.402+0200","log.logger":"registrar","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/registrar.(*Registrar).Stop","file.name":"registrar/registrar.go","file.line":131},"message":"Registrar stopped","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.407+0200","log.origin":{"function":"github.com/elastic/elastic-agent-system-metrics/metric/system/numcpu.NumCPU","file.name":"numcpu/numcpu.go","file.line":41},"message":"Accurate CPU counts not available on platform, falling back to runtime.NumCPU for metrics","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2025-05-06T15:04:18.407+0200","log.origin":{"function":"github.com/elastic/elastic-agent-system-metrics/metric/system/numcpu.NumCPU","file.name":"numcpu/numcpu.go","file.line":41},"message":"Accurate CPU counts not available on platform, falling back to runtime.NumCPU for metrics","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.407+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logTotals","file.name":"log/log.go","file.line":200},"message":"Total metrics","service.name":"filebeat","monitoring":{"metrics":{"beat":{"cpu":{"system":{"ticks":1,"time":{"ms":1}},"total":{"ticks":2,"time":{"ms":2},"value":2},"user":{"ticks":1,"time":{"ms":1}}},"info":{"ephemeral_id":"08d0b639-0fd9-4789-8ce0-96fec22e1628","name":"filebeat","uptime":{"ms":12632},"version":"9.1.0"},"memstats":{"gc_next":13723746,"memory_alloc":9731608,"memory_sys":24790280,"memory_total":15818808,"rss":54099968},"runtime":{"goroutines":8}},"filebeat":{"harvester":{"closed":1,"open_files":0,"running":0,"skipped":0,"started":1},"input":{"log":{"files":{"renamed":0,"truncated":0}}}},"libbeat":{"config":{"module":{"running":0,"starts":0,"stops":0},"reloads":1,"scans":1},"output":{"batches":{"split":0},"events":{"acked":53,"active":0,"batches":1,"dead_letter":0,"dropped":0,"duplicates":0,"failed":0,"toomany":0,"total":53},"read":{"bytes":3942,"errors":0},"type":"elasticsearch","write":{"bytes":8556,"errors":0,"latency":{"histogram":{"count":1,"max":108,"mean":108,"median":108,"min":108,"p75":108,"p95":108,"p99":108,"p999":108,"stddev":0}}}}},"registrar":{"states":{"cleanup":0,"current":0,"update":0},"writes":{"fail":0,"success":0,"total":0}},"system":{"cpu":{"cores":12},"load":{"1":2.5737,"15":3.085,"5":2.9614,"norm":{"1":0.2145,"15":0.2571,"5":0.2468}}}},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.407+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logTotals","file.name":"log/log.go","file.line":201},"message":"Uptime: 12.627499792s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.407+0200","log.logger":"monitoring","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).snapshotLoop","file.name":"log/log.go","file.line":168},"message":"Stopping metrics logging.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2025-05-06T15:04:18.408+0200","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":768},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

mergify · 2025-05-06T06:14:07Z

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @rpasche? 🙏.
For such, you'll need to label your PR with:

The upcoming major version of the Elastic Stack
The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
backport-active-all is the label that automatically backports to all active branches.
backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

elasticmachine · 2025-05-06T09:35:13Z

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

cla-checker-service · 2025-05-06T13:07:41Z

💚 CLA has been signed

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

AndersonQ · 2025-05-27T13:50:15Z

Hi @rpasche, it's a good start, thanks :)

Could you add some tests to it? You should try to cover the happy path and as many failure cases as possible.

Due to the similarity, I'd suggest you to check the dissect processor for inspiration on what and how test.

Please let me know if you need any further help.

AndersonQ · 2025-05-27T13:27:18Z

metricbeat/include/list_init.go

This should not be part of this PR. Could you remove those changes?

Reverted those changes. But those had been placed. At least, I did not - manually - do the changes.

AndersonQ · 2025-05-27T13:43:58Z

libbeat/processors/grok/grok.go

+	if err != nil {
+		return nil, fmt.Errorf("failed to get field '%s' from event: %w", field, err)
+	}
+
+	input, ok := field.(string)
+	if !ok {
+		return nil, fmt.Errorf("field '%s' is not a string", field)
+	}
+
+	values, err := u.grok.ParseTypedString(input)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse input with grok pattern: %w", err)
+	}
+
+	for k, v := range values {
+		_, err := event.PutValue(k, v)
+		if err != nil {
+			return nil, fmt.Errorf("failed to update event with parsed data: %w", err)
+		}
+	}


I believe it's better to preserve the original event on failure, that means, instead of returning nil, return the original event on failure. Also before making permanent changes to the event, clone it, so the backup can be returned if there is any error while applying permanent changes.

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

strawgate · 2025-05-27T15:10:14Z

Please see: #30073 (comment)

mergify · 2025-05-30T08:56:31Z

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b grok_processor upstream/grok_processor
git merge upstream/main
git push upstream grok_processor

rdner · 2025-07-15T15:41:55Z

Closing to #44215 (comment)

add basic grok processor functionality

8443437

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

rpasche requested review from a team as code owners May 6, 2025 06:13

rpasche requested review from AndersonQ and VihasMakwana May 6, 2025 06:13

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 6, 2025

mergify bot assigned rpasche May 6, 2025

Merge branch 'main' into grok_processor

bf2e693

pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label May 6, 2025

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 6, 2025

pierrehilbert requested review from rdner and faec May 6, 2025 09:35

rpasche force-pushed the grok_processor branch from c74821d to 0dac95e Compare May 6, 2025 13:11

fix typo in field name within grok.asciidoc

3807832

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

rpasche force-pushed the grok_processor branch from 0dac95e to 3807832 Compare May 6, 2025 13:14

AndersonQ reviewed May 27, 2025

View reviewed changes

rpasche added 2 commits May 27, 2025 17:01

revert changes to list_init.go (as suggested)

086a9bb

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

missed the empty line

fee83a5

Signed-off-by: Robert Paschedag <robert.paschedag@web.de>

rdner closed this Jul 15, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

add basic grok processor functionality #44215

add basic grok processor functionality #44215

Uh oh!

rpasche commented May 6, 2025 •

edited

Loading

Uh oh!

mergify bot commented May 6, 2025

Uh oh!

elasticmachine commented May 6, 2025

Uh oh!

cla-checker-service bot commented May 6, 2025 •

edited

Loading

Uh oh!

AndersonQ commented May 27, 2025

Uh oh!

AndersonQ May 27, 2025

Uh oh!

rpasche May 27, 2025

Uh oh!

AndersonQ May 27, 2025

Uh oh!

strawgate commented May 27, 2025

Uh oh!

mergify bot commented May 30, 2025

Uh oh!

rdner commented Jul 15, 2025

Uh oh!

Uh oh!

add basic grok processor functionality #44215

add basic grok processor functionality #44215

Uh oh!

Conversation

rpasche commented May 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed commit message

Checklist

Disruptive User Impact

Author's Checklist

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

Uh oh!

mergify bot commented May 6, 2025

Uh oh!

elasticmachine commented May 6, 2025

Uh oh!

cla-checker-service bot commented May 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

AndersonQ commented May 27, 2025

Uh oh!

AndersonQ May 27, 2025

Choose a reason for hiding this comment

Uh oh!

rpasche May 27, 2025

Choose a reason for hiding this comment

Uh oh!

AndersonQ May 27, 2025

Choose a reason for hiding this comment

Uh oh!

strawgate commented May 27, 2025

Uh oh!

mergify bot commented May 30, 2025

Uh oh!

rdner commented Jul 15, 2025

Uh oh!

Uh oh!

rpasche commented May 6, 2025 •

edited

Loading

cla-checker-service bot commented May 6, 2025 •

edited

Loading