Extract a substring from field

Francesco_Denardi · March 21, 2019, 3:04pm

Hi,

I would extract a substring from field for example

I have this field

@message
type=USER_AUTH msg=audit(155558731.704:1977444): pid=126 uid=0 auid=42949672915 ses=42945 msg='op=PAM:authentication grantors=pam_unix acct="rodrigo.adsa" exe="/usr/sbin/sshd" hostname=baseserver addr=19.13.22.10 terminal=ssh res=success

I would to create SUB field for exemple

@type USER_AUTH
@acct "rodrigo.adsa"
@hostname baseserver

I know that it's possible made this from "script field" and also with GROK INGEST
Which is the best solution
How I can do this?

Marius_Dragomir · March 22, 2019, 12:02pm

The best solution is to do this at ingest as it will be less resource intensive. I recommend asking in the Logstash forums as they have more expertise on this.

Francesco_Denardi · March 22, 2019, 1:26pm

Yes I know but i've used a Elasticsearch service on AWS, so I put data into elastic cluster with lamba function, so i prefer for now to use script field. is it possible?

sebastien · March 22, 2019, 1:45pm

Yes, you probably want to go with ingest pipeline then
https://www.elastic.co/guide/en/elasticsearch/reference/master/grok-processor.html

system · April 19, 2019, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fetch the substring of a field and draw pie-chart visualization of counts in Kibana Kibana	2	2364	April 1, 2018
Extracting substring from a field Kibana runtime	5	158	July 7, 2024
Fetching substring from a string in kibana Kibana	9	1489	August 28, 2023
Fetch substring from a string in logstash filter Logstash	2	485	September 4, 2023
Extract substring from field Logstash	4	4720	June 11, 2019

Extract a substring from field

Related Topics