Extract a substring from field

Francesco_Denardi · March 21, 2019, 3:04pm

Hi,

I would extract a substring from field for example

I have this field

@message
type=USER_AUTH msg=audit(155558731.704:1977444): pid=126 uid=0 auid=42949672915 ses=42945 msg='op=PAM:authentication grantors=pam_unix acct="rodrigo.adsa" exe="/usr/sbin/sshd" hostname=baseserver addr=19.13.22.10 terminal=ssh res=success

I would to create SUB field for exemple

@type USER_AUTH
@acct "rodrigo.adsa"
@hostname baseserver

I know that it's possible made this from "script field" and also with GROK INGEST
Which is the best solution
How I can do this?

Marius_Dragomir · March 22, 2019, 12:02pm

The best solution is to do this at ingest as it will be less resource intensive. I recommend asking in the Logstash forums as they have more expertise on this.

Francesco_Denardi · March 22, 2019, 1:26pm

Yes I know but i've used a Elasticsearch service on AWS, so I put data into elastic cluster with lamba function, so i prefer for now to use script field. is it possible?

sebastien · March 22, 2019, 1:45pm

Yes, you probably want to go with ingest pipeline then
https://www.elastic.co/guide/en/elasticsearch/reference/master/grok-processor.html

system · April 19, 2019, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fetch the substring of a field and draw pie-chart visualization of counts in Kibana Kibana	2	2370	April 1, 2018
Index a substring Kibana	3	980	June 29, 2019
Extracting substring from a field Kibana runtime	5	188	July 7, 2024
How to use the script field for string Kibana	9	5872	April 20, 2020
Scripted Field "String, in between two strings" Kibana	2	1570	April 26, 2018

Extract a substring from field

Related topics