I am dealing with a filter where it pulls out sudo commands from RHEL 6 OS.
An example is this: "argc=2 a0=sudo a1=chpasswd"
I currently in my grok filter use this command to assign it to a variable: ".*argc=%{DATA:CMD}\d{2}"
results in: "2 a0=sudo a1=chpasswd"
My question is how can I still get that data filtered for my variable CMD, but remove the "2 a0=" and the "a1=" so that the results for CMD ends up being: "sudo chpasswd"?
Thanks for the help!
I apologize for the awful ugliness of this code, but
kv { source => "message" target => "[@metadata][kvdata]" }
ruby {
code => '
kvdata = event.get("[@metadata][kvdata]")
i = 0
s = ""
while v = kvdata["a#{i}"]
s += v + " "
i += 1
end
event.set("someField", s.chomp(" "))
'
}Is there a way to do it without looping?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.