Combining Netscaler Appflow request and response within Logstash

scherma · December 3, 2017, 12:12pm

Hi all, when using Logstash to parse Netscaler Appflow, I have noted that the Appflow output places request and response information different records. I would like to be able to combine the request and response (they are linked by the "netscalerTransactionId" field). I don't really know Ruby, so I've created something that will perform this task in Python, however that's a bit of an ugly solution. Is it possible to do this within Logstash?

Also if this is not something that exists, is there anyone who would be willing to supply sample Logstash JSON output? I have been testing internally but I want to be sure my code works everywhere, not just on the content I have.

JKhondhu · December 5, 2017, 8:36am

Hi,

Have a look at logstash's mutate add_field or merge : https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-merge

add_field would look something like below where new_field is the name of the field you desire for req&resp to be.

mutate {
add_field => {
"new_field" => "%{oldfield1} %{oldfield2}"
}
remove_field => ["oldfield1", "oldfield"]
}

scherma · December 5, 2017, 8:40am

Hi JKhondhu,

I am aware of add_field and merge, but these functions get applied to individual messages being processed by Logstash and the issue is that this use case requires two separate messages to be combined based on a field with a common value.

system · January 2, 2018, 8:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.