Converting Splunk Field Extraction in Logstash Equivalent

Elastic Stack Logstash
1

Hello,

I have the following field extraction in Splunk

(?i)- site:(?P<site_id>[^;:]+)

How can I achieve a similar result with logstash?

Sample log message:

INFO 2016-07-21 13:17:48,139 [http-bio-8080-exec-5] com.vendor.recserver.controller.RestController - site:company; abtest:none; pagetemplate:PT_RelatedRec: Total Time = 1ms. widget:RecentlyViewedProduct time:0ms scanned:0 timebox:none fallback:0 of 5 widget:RelatedRec time:0ms scanned:4 timebox:none fallback:0 of 4 context-url:http://www.company.com/eu/p/347340

Other similar splunk field extractions that I would like to replicate for the above message

(?i)context-(url|id):(?P<rtx_context>[^$]+)
(?i)Total Time = (?P<rsp_time>\d+)

Again, is it possible to achieve a similar result using logstash and elastic search?

Thank you again in advance.

Haven't gotten very far with my logstash configuration

filter {
date {
match => ["logtime", "ISO8601" ]
}
grok {
match => { "message" => "%{LOGLEVEL:severity} %{TIMESTAMP_ISO8601:logtime} %{NOTSPACE:javathread} %{JAVACLASS:class} %{GREEDYDATA:therest}"
}
}
}

Ciao, Dario

2

You shouldn't assume that people here know Splunk, i.e. asking "how do I do $SPLUNK_THING in Logstash" might not give the best answers.

(?i)- site\:(?P[^;:]+)

Did you actually mean to say

(?i)- site\:(?<site>P[^;:]+)

or similar? Or what's the "P" doing there? I would've used

- site:(?<site>[^;]+)

to match and extract the site name in your example into a field named site. Notes:

  • There's no need to escape the colon since it isn't a meta-character in regular expressions.
  • I'm not sure why you included a colon in the negative character class so I omitted it.
  • I'm not sure if (?ì) indeed does enable case-insensitive matches, but I'd assume that the log always says "site:" and never "Site:" or "SITE:".