My tomcat access logs have last field as “%D – Time taken to process the request, in millis”.
I am trying to filter the logs which took more than some number of milliseconds, but it is showing all the logs as a result, I am trying as per lucene “Range Searches” http://lucene.apache.org/core/2_9_4/queryparsersyntax.htmlBelow filter queries are tried:
timetaken: [1000 TO *]
timetaken: [1000 TO 5000]
timetaken: [‘1000’ TO *]
Answer
By default logstash takes all input as a string, added “:int” to the fields which i wanted as number.
eg.
%{NUMBER:apache_bytes:int} %{NUMBER:apache_response_time:int}
Ref: https://groups.google.com/forum/#!topic/logstash-users/2ewrcovttSY
Attribution
Source : Link , Question Author : Deepak Deore , Answer Author : Deepak Deore
