Event with multiple patterns

fluss · October 1, 2020, 2:45pm

Hello,

I have an event as on below:
Rule 'device' failed for user 'user45' reason 'Rule1:OS not found'.

grok {
match => ["event","%{GREEDYDATA}reason '%{GREEDYDATA:rule}:%{GREEDYDATA:reason}'."]
}

rule: Rule1
reason: OS not found

But now I have the same event with multiple occurences after reason separated by a ";" :
Rule 'device' failed for user 'user45' reason 'Rule1:OS not found;Rule5:certificate not found'.

So I have an event as on below:
....... reason 'Rule1:reason1;Rule2:reason2;...;RuleX:reasonX'.

I want to put these values into 2 fields : rule and reason (each value separete by a ",")
rule: Rule1, Rule5, ...
reason: OS not found, certificate not found, reason

Do you know how I can achieve this ? Using regex I suppose

Badger · October 1, 2020, 3:44pm

When I run

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_field => { "reasons" => "reason 'Rule1:reason1;Rule2:reason2;Rule5:reason5'." } }
    ruby {
        code => '
            matches = event.get("reasons").scan(/(Rule\d+):([^;]+)[;\']/)
            rule = ""
            reason = ""
            matches.each_index { |x|
                rule += matches[x][0] + ","
                reason += matches[x][1] + ","
            }
            event.set("rule", rule.delete_suffix(","))
            event.set("reason", reason.delete_suffix(","))
        '
    }
}
output  { stdout { codec => rubydebug { metadata => false } } }

I get

    "reason" => "reason1,reason2,reason5",
   "reasons" => "reason 'Rule1:reason1;Rule2:reason2;Rule5:reason5'.",
      "rule" => "Rule1,Rule2,Rule5"

system · October 29, 2020, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.