Determine when to stop capturing event and start another one

sahar_q · May 17, 2017, 10:13am

Hi guys, say im sending an data to log stahs through http, the data is separated in commas and each line represent and single event (that i want it to be independent as a document)
Data for example:

"192.168.0.1","255.255.255.245","01-00-5e-40-98-8f","static"|
"192.168.0.1","255.255.255.250","01-00-5e-7f-ff-fa","static"|
"192.168.0.1","255.255.255.255","ff-ff-ff-ff-ff-ff","static"|

i used csv filter like so :

csv {
columns => [
"interface",
"ip address",
"physical address",
"type"
]
separator => ","
}

and i want each line to be represented as a document with this filter, but i dont quite get how do i seperate the events.

Edit: Problem solved.

warkolm · May 21, 2017, 12:00am

Is the | the delimiter int he http body?

sahar_q · May 28, 2017, 12:44pm

yes it is
Edit: Problem solved.

warkolm · May 28, 2017, 8:47pm

How did you solve it?

sahar_q · May 29, 2017, 8:07am

I decided to use split{} and grok in order to get what i want.
the full input is recived via http and this is the config i used:

filter{
mutate {
remove_field => ["headers"]
}
split {
field => "message"
terminator => "|"
}
grok {
match => {"message" => ["%{IP:interface},%{IP:internet_address},%{MAC:physical_address},%{WORD:type}"]}

}
}

system · June 26, 2017, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.