Hi Community, i'm executing several linux commands in Logstash. and i want to extract specific fields to build some graphs in Kibana. for Example this is the result of an executed command
[2021-02-13 19:28:49.200] chan dur ibss obss interf time
[2021-02-13 19:28:49.216] 36 1599 13 0% Low 4 0% Low 0 0% Low 311143
How can i use the field " interf" and its value " 0 0% Low" to build a chart with timestamp axe?
Thank you!
My understanding is that the channel is printed left-adjusted (%-3u), so there will always be a space in front of it. You will need a grok specific to the line format. In this case
if [message] =~ /obss/ { drop {} }
grok { match => { "message" => "^\[%{TIMESTAMP_ISO8601:[@metadata][timestamp]}\] %{NUMBER:chanspec:int}\s+%{NUMBER:duration:int}\s+%{NUMBER}\s+%{NUMBER}%\s+%{WORD}\s+%{NUMBER:obssCongest:int}\s+%{NUMBER:obssPercent:int}%\s+%{WORD:obssLevel}\s+%{NUMBER:f9:int}\s+%{NUMBER:f10:int}%\s+%{WORD:f11}\s+%{NUMBER:f12:int}" } }
date { match => [ "[@metadata][timestamp]", ISO8601 ] }
will produce
"obssPercent" => 0,
"obssLevel" => "Low",
"f10" => 0,
"f12" => 311143,
"chanspec" => 36,
"duration" => 1599,
"f11" => "Low",
"@timestamp" => 2021-02-14T00:28:49.216Z,
"f9" => 0,
"obssCongest" => 4,Your [message] field has leading spaces so you would need to replace the ^ in the grok pattern with ^\s+
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.