Cut off matching content and write to field

Hi,

is there any way to match a pattern inside a log and just write a port of it to a field? Here's a abstraction of my log:

elapsedTimeMs=41

I'd wrap it in () because it's sporadic and want the 41 to be written into a field called elapsed.time or so. Is there any way to do that?

Thanks in advance

Yes, you do that using a grok filter. Hard to say more without seeing some actual log lines rather than an abstraction.

2022-08-03 08:13:54,376 INFO 1343434000 Server.Servlet <Gxyzdvlet> [TraceID: 5bdd1e20] Operation completed {url="https://url", servletClass="edge.servlet.jsonrpc.JsonRpcServlet", executionTime=1530637574515724, from="1vvvv", user="11341444441000", elapsedTimeMs=301, message="lll servlet has stopped processing the request", eventType="STOP", serverID="abc-def-3434"}, Operation completed {url="https://ttttt", servletClass="edge.servlet.jsonrpc.JsonRpcServlet", executionTime=1530637574515724, from="12.34.56.78", user="1vvv0", elapsedTimeMs=301, message="u servlet has stopped processing the request", eventType="STOP", serverID="lxyz-def-213"}

e.g. like that

    grok {
	  match => { "message" => "elapsedTimeMs=%{POSINT:elapsedtime}" 
	  }
	}

If you want to fully parse, use dissect or grok + KV for the content inside { .. }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.