Compare incoming string/data to keyword list, if in keyword list, flag?

stcdarrell · December 19, 2019, 5:02pm

hi,
i'm not really sure the best way to describe what i'm trying to do.. but i will have data bring streamed into logstash. i have a growing keyword list, that is a text file.

is there a way i can compare the values/data coming in to this keyword list. if the data coming in contains values from the keyword list it creates a new boolean field? keyword=true?

does that make sense?

any suggestions would be appreciated

Transrian · December 19, 2019, 6:09pm

Do you have control of the input keyword file? (Can you modify the format?)

If so, you could probably make use of the filter translate.

If each line of the dictionary is a regex like. '.*mykeyword.*', and the value associated is 'true', it could probably work (even if I'm not sure it would be the best in term of performances).

stcdarrell · December 19, 2019, 6:34pm

i've looked at that approach, and the problem is, the keywords will have match WITHIN the datastream.

example: keyword: "blogspot.com"
androidlover.blogspot.com MATCH
iphonelover.blogspot.com MATCH
nokia.blogspots.com
samsung.blogspot.com MATCH

Transrian · December 19, 2019, 6:46pm

That's why I talked about dictionnary using regex keys

Using your example (and assuming we read the dic value from a file), we would have something like :

filter {
  translate {
    field => "[message]"
    destination => "[match]"

    dictionary => {
      "blogspot\.com" => true
    }

    fallback => false
    regex => true
  }

}

Become :

{
  "@timestamp": "2019-12-19T18:43:57.977Z",
  "@version": "1",
  "host": "localhost",
  "match": "true",
  "message": "androidlover.blogspot.com"
}
{
  "@timestamp": "2019-12-19T18:43:57.978Z",
  "@version": "1",
  "host": "localhost",
  "match": "true",
  "message": "iphonelover.blogspot.com"
}
{
  "@timestamp": "2019-12-19T18:43:57.978Z",
  "@version": "1",
  "host": "localhost",
  "match": "false",
  "message": "nokia.blogspots.com"
}
{
  "@timestamp": "2019-12-19T18:43:57.978Z",
  "@version": "1",
  "host": "localhost",
  "match": "true",
  "message": "samsung.blogspot.com"
}

Did I understand you correctly ?

system · January 16, 2020, 6:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Comparing field values with value from external file without dictionary k/v? Logstash	3	579	March 4, 2020
Regexp in conditional Logstash	10	4450	September 6, 2019
Check if field value is present at certain file Logstash	1	776	May 26, 2017
Matching/Finding keywords in an already parsed field via GROK Logstash	3	923	April 12, 2019
Tag Doc if match to List of Text terms Keywords Logstash	3	522	November 11, 2021

Compare incoming string/data to keyword list, if in keyword list, flag?

Related topics