Creating a new field based on substring

I have below message :
2018-06-08 21:35:44,182 DEBUG [org.mobicents.smsc.library.CdrGenerator] 2018-06-08 21:35:44.171,62895416500343,1,1,6282880640846,1,1,success_esme,SS7_HR,message,null,92044,0,null,null,null,null,628964011092,null,0,15,null,0,0,,,,2,"Yth.Bpk/Ibu kredit d","",,,

I filtered it using :
%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:debugtype} %{DATA:source} %{TIMESTAMP_ISO8601:smsdate},%{WORD:sourceaddr},%{NUMBER:addrton},%{NUMBER:addrnpi},%{WORD:destaddr},%{NUMBER:sourceton},%{NUMBER:sourcenpi},%{WORD:status}

I want to add another filed, let says "operator" based on the first 5 digit of sourceaddr.

How i can achieved above objective ?

This provides an example of extracting a fixed number of characters as a prefix to a field.

Thanks for your comment. I have read the sample but still i am not sure how to apply it. Can you elaborate more on this ?

Have you tried a separate grok block with the following:

grok { match => [ "sourceaddr", "^(?<operator>.....)" ] }

I try like below in https://grokdebug.herokuapp.com/ :

%{TIMESTAMP_ISO8601:logdate} %{LOGLEVEL:debugtype} %{DATA:source} %{TIMESTAMP_ISO8601:smsdate},%{WORD:sourceaddr},%{NUMBER:addrton},%{NUMBER:addrnpi},%{WORD:destaddr},%{NUMBER:sourceton},%{NUMBER:sourcenpi},%{WORD:status}[ "sourceaddr", "^(?.....)" ]

Above pattern doesn't give me another field operator.

Put it in two separate grok blocks. The first one extracts all the fields and the second the 5 character prefix.

Hi Christian,

Thanks for your suggestion. Its working. Now I have a field call operator with only 5 string on it. But I have another problem, it seems, after adding this field, the field is not part of the index. How I include them into index ?

Hi,

It seems the issue is in Kibana. After adding the field to become index in kibana, the field can be visualized now.

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.