Can dissect filter be used, when message contains unknown number of names separated by comma

Hi experts.

I am trying to use the dissect filter to parse the below line:

2018-09-24 13:22:38,562 | tshadm | UserAdmin,Admin,CryptoAdmin | 10.128.13.207 | USER | LOGIN_ATTEMPT | | Login was successful

So far my filter looks lie this:

dissect {
    mapping => {
        "message" => '%{source_log_timestamp},%{+source_log_timestamp/2} | %{user} | %{roles} | %{ip} | %{component} | %{event} | %{eventdetailid} | %{log_message}'
    }
}

My problem is that the "roles" field can contain an unknown number og strings separated by comma (,).
Is it possible to parse the roles with the dissect filter, or will I have to grok it?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.