Hi Team,
I am still learning grok and have certain basic query which I tried searching but could not find the perfect answer hence asking to this community. My apologies if that was already asked.
What is [type] in filter? is this the extracted field? Or what field the parser to look for - to match the message?
e.g.
if [type] == "snort"
if [type] == "mcafee"
I assume you are asking about the type in the this construct: %{NUMBER:bytes:int}. The fisrt component NUMBER is the pattern to use and bytes is the name of the field the matched data will be stored in. The int portion is the type and specifies how this should be formatted in the JSON document. This allows you to automatically convert it to a int or float instead of the default string format but should not be confused with the types specified in the mappings used when Elasticsearch is parsing the data.
I guess there is confusion; I am not talking about int, float type but lets take below example and wanted to understand what messages will be matched?
if [type] == "windows" {
# json {
# source => "message"
# }
date {
match => ["EventTime", "YYYY-MM-dd HH:mm:ss"]
remove_field => [ "EventTime" ]
}
How the [type] windows is decided in this message? OR
filter {
if [type] == "dns" and "bro" not in [tags] {
json {
source => "message"
}
# strip whitespace from message field
mutate {
strip => "message"
}
Sorry, did not read the post properly. That is a conditional where [type] references a field. That can be any field in the event.
So that is the any field which is already parsed?
Yes, any parsed field.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.