Dissect file pattern that is not always available

mikhatanu · July 22, 2022, 11:11am

Hello, i have a txt that looks like this:

ltm classification application app_name { application-id 7974 category Entertainment description "this app is popular. (tcp/http/ssl)" predefined yes risk 3 }
ltm classification application app1234_name { application-id 1234 category Entertainment description "this app is not popular. (udp)" predefined yes }

This log sometimes doesnt have the risk part as shown above. Can i still use dissect on this? This is my current config:

input {
  file {
      path => ["/some/data/path/appid_list_20220707.txt"]
      start_position => beginning
  }
}
filter{
  dissect{
    mapping=> {
      "message" => 'ltm %{ltm} application %{[application][name]} { application-id %{[application][id]} category %{[application][category]} description "%{[application][description]}" predefined %{[application][predefined]} risk %{[application][risk]} }'
    }		
  }
}
output {
  stdout { }	
}

leandrojmp · July 22, 2022, 12:26pm

It will fail on every message that does not have the risk in it and you will need another dissect.

You could a conditional to test if you have risk in the message and send it to the correct dissect.

if "risk" in [message] {
    dissect { dissect for messages with risk }
} else {
    dissect { dissect for messages without risk }
}

Badger · July 22, 2022, 4:46pm

You may want to use a combination of dissect and grok. For example,

grok { match => { "message" => "%{GREEDYDATA:[@metadata][prefix]}" predefined %{WORD:[application][predefined]}( risk %{[application][risk]})?"
dissect { mapping => { "[@metadata][prefix]" => " ... " } }

mikhatanu · July 25, 2022, 2:42am

this can fail if the log description contains the word risk and the log doesn't have risk in the back of it

mikhatanu · July 25, 2022, 3:12am

Is there something like a try and catch, where i can try the first dissect. If the first fails, i can use the second dissect

Badger · July 25, 2022, 3:20am

No, you can use a pattern match to test whether a field matches a pattern and only apply the dissect if it matches. The pattern for the =~ and the dissect will look different, but have to match.

mikhatanu · July 25, 2022, 5:51am

I decided to changed my filter to mutate (remove curly brackets) + kv (to creat field automatically)

filter{
  mutate{
    gsub => ["message","[{}]",""]
  }
  kv{
    value_split => " "
  }
}

system · August 22, 2022, 5:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.