Add field in logstash config

(Sergey) #1

I have logs like this:
GetLoginGata: login: 'G:59423457'; deviceId: 'FF7567DE-8822-4D0F-9E2E-651A202B6B58'
And I want to get fields with grok filter in my config:
grok {
match => [ "message", " login: %{WORD:login}" ]
tag_on_failure => []
grok {
match => [ "message", " deviceid: %{WORD:device-id}" ]
tag_on_failure => []
But it's didn't come. Where is mistake?

(Magnus Bäck) #2

There are multiple problems here.

  • The device-id string contains hyphens. I don't think WORD matches hyphens.
  • There's a single quote on each side of the value and single quotes are also not included in WORD.

You could e.g. use this grok filter:

filter {
  grok {
    match => [
      "^GetLoginGata: login: '(?<login>[^']+)'; deviceId: '(?<deviceid>[^']+)'"

(Sergey) #3

Brilliant, many thanks
Where I can get more information about syntax in grok filter?
For example what does it means '(?[^']+)'?

(Magnus Bäck) #4

Grok expressions are regular expressions with the addition of %{PATTERN:variable} captures. (?<deviceid>[^']+) isn't grok-specific but a good old regular expression that means "match and save one or more characters that aren't single quotes into the named capture 'deviceid'".

(Sergey) #5

ok, and just for me, if I want to break your code like this:
grok {
match => [ "message", " login: '(?[^']+)' "]
tag_on_failure => []

grok {
match => [ "message", " deviceId: '(?[^']+)' "]
tag_on_failure => []
fields not coming. Where is mistake here? Sorry for noob questions.

(Magnus Bäck) #6

Please make configuration snippets preformatted so that things that look like HTML tags aren't stripped. I'm going to assume your configuration actually says (?<login>[^']+) rather than (?[^']+).

I don't know off the top of my head why the above doesn't work and I don't have time to debug it. Why do you want multiple filters?

(system) #7