Hello,
I have a problem with an extractor created in a filebeat input (Beats)
The extractor has been created in the message field using a grok pattern to extract the path of a file in an HTTP POST request with the objective of adding a new “file” field to the logs that collects the file path.
The grok pattern used is the following:
POST %{PATH:file} HTTP/1.1
For example, in the following log:
0.0.0.0 - ROOT [24/Apr/2024:11:39:00 +0200] “POST /home/pages/start.do HTTP/1.1” 200
The extractor will create a “file” field that will contain the value “/home/pages/start.do”
Carrying out tests before adding the extractor, the operation is correct and once added, logs have been received in which, after processing, the “file” field has been created.
The problem is that after a few minutes of adding the extractor, the process buffer fills 100% and stops processing, not working again until the extractor is removed and the Graylog service is restarted.
Is the extractor poorly created? Is there any alternative?
Thanks greetings.