Adding Fields and Formatting

Kernel_Panic · October 28, 2019, 3:10pm

Hello there
I would like to parse / format a log file that at some point it contains the following:

20191016160456 ,PRIORITY,COLOR,APP-NAME~hostname_instance_01, process not found

First field is a timestamp, second ( PRIORITY ) is a priority that can be P1,2 or 3 the followed by a state ( COLOR) that can be red, green, yellow then a description of the app having the issue.

The problem with this is that if I want to use grok, from what I understood, I have no field name like priority: p1 timestamp: xxxxxxx I have the values itself. Do you have any example of how can I create a new field with add_field for example so that I have Severity containing P1,2 or 3 , State containing green , red and so on, so then I can make searches on those values?

My aim is to create watchers / alerts based on those values.

Thanks
Regards

Badger · October 28, 2019, 4:45pm

Have you considered using a csv filter?

Kernel_Panic · October 28, 2019, 4:51pm

Yes, the format looks like that, but the whole log file is different, is not standard format to say it some way, it contains those lines but is not the whole file like that, can I use the csv filter anyway?

Thank you!
Regards

Kernel_Panic · October 28, 2019, 5:35pm

I gave it a try and it seems to have done the trick, it created default fields, column2,3,4 is there a way to change those names?

Thanks
Regards

Kernel_Panic · October 28, 2019, 5:43pm

I did it with the mutate filter, thank you guys for the help!!

Badger · October 28, 2019, 5:48pm

You can use the columns option on the csv filter.

system · November 25, 2019, 5:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.