Csv filter : how to deal with missing field?

Travis · November 25, 2021, 9:21am

Hello !

I have the following data :

<188>Nov 25 07:38:31 172.28.192.111 ts-swsan-p11 raslogd: 2021/11/25-07:38:31, [MAPS-1003], 28921, WWN 10:00:88:94:71:c4:c0:e0 | FID 128, WARNING, ts-swsan-p11, SW11_TS_VPLEX_P01_E1B2FC01, F-Port 28, Condition=ALL_PORTS(DEV_LATENCY_IMPACT==IO_PERF_IMPACT), Current Value:[DEV_LATENCY_IMPACT, IO_PERF_IMPACT, (10 ms Frame Delay) ], RuleName=defALL_PORTS_IO_PERF_IMPACT_UNQUAR, Dashboard Category=Fabric Performance Impact.

<190>Nov 25 07:39:31 172.28.192.111 ts-swsan-p11 raslogd: 2021/11/25-07:39:31, [MAPS-1004], 28922, WWN 10:00:88:94:71:c4:c0:e0 | FID 128, INFO, ts-swsan-p11, SW11_TS_VPLEX_P01_E1B2FC01, F-Port 28, Condition=ALL_PORTS(DEV_LATENCY_IMPACT==IO_LATENCY_CLEAR), Current Value:[DEV_LATENCY_IMPACT, IO_LATENCY_CLEAR], RuleName=defALL_PORTS_IO_LATENCY_CLEAR, Dashboard Category=Fabric Performance Impact.

And the following pipeline :

filter
{


    csv {
      skip_empty_columns => true
      autogenerate_column_names => false
      columns => ["syslog_header","maps","to_define","switch_WWN","severity","device_name","port_name","port_number","condition","current_value","log_type","frame_delay","rule_name","dashboard_category"]

      }

}

In the second line of log, the one starting with <190>, the field (10 ms Frame Delay) ] is missing. And so, the parsing is shifted :

I have this :

frame_delay => RuleName=defALL_PORTS_IO_LATENCY_CLEAR

Instead of this :

frame_delay =>
rule_name => RuleName=defALL_PORTS_IO_LATENCY_CLEAR

I tried skip_empty_columns => true but the field is not parsed as empty so it looks like this is not the solution

Any way to figure this out ?

Thanks !

Badger · November 25, 2021, 2:39pm

That is not a CSV format, so a csv filter is the wrong tool. I would parse the constant format prefix to the message using dissect, or perhaps grok, then use a kv filter.

kv { value_split => "=" field_split_pattern => " (?=([A-Za-z ]+=))" trim_value => ",." }

will result in

 "Condition" => "ALL_PORTS(DEV_LATENCY_IMPACT==IO_LATENCY_CLEAR), Current Value:[DEV_LATENCY_IMPACT, IO_LATENCY_CLEAR]",RuleName=defALL_PORTS_IO_LATENCY_CLEAR, Dashboard Category=Fabric Performance Impact.",
  "RuleName" => "defALL_PORTS_IO_LATENCY_CLEAR",
  "Category" => "Fabric Performance Impact"

which probably needs some tuning, but may get you started.

Travis · November 25, 2021, 4:09pm

Thank you @Badger . I'm going to test this.

As a temporary workaround, I found this :

filter
{

grok {
  match => { "message" => "<%{POSINT:syslog_pri}>(%{SYSLOGTIMESTAMP:syslog_timestamp}) %{IP:syslog_host_ip} %{HOSTNAME:syslog_host} %{SYSLOGPROG:syslog_prog}: %{YEAR}/%{MONTHNUM}/%{MONTHDAY}-%{HOUR}:%{MINUTE}:%{SECOND}, (\[%{DATA:maps}\])?, %{INT:to_define}, %{DATA:wwn}, %{WORD:severity}, %{HOSTNAME:device_name}, %{DATA:port_name}, F-Port %{INT:port_number}, Condition=%{DATA:condition}, Current Value:\[(%{DATA:current_value_1})?, (%{DATA:current_value_2}])?, RuleName=%{DATA:rule_name}, Dashboard Category=%{DATA:dashboard_category}\." }
}

if [current_value_2] =~ ".*Delay.*" {
        grok {
                match => { "current_value_2" => "%{INT:frame_delay}"}
        }
}
}

system · December 23, 2021, 4:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.