Hi experts.
I am trying to use the dissect filter to parse the below line:
2018-09-24 13:22:38,562 | tshadm | UserAdmin,Admin,CryptoAdmin | 10.128.13.207 | USER | LOGIN_ATTEMPT | | Login was successful
So far my filter looks lie this:
dissect {
mapping => {
"message" => '%{source_log_timestamp},%{+source_log_timestamp/2} | %{user} | %{roles} | %{ip} | %{component} | %{event} | %{eventdetailid} | %{log_message}'
}
}
My problem is that the "roles" field can contain an unknown number og strings separated by comma (,).
Is it possible to parse the roles with the dissect filter, or will I have to grok it?