Extract and add field

Elastic Stack Logstash
1

Hello,

How can I extract a value from message field and add field with the extracted value?

For example, message field is as below.

"message": "This is a test.\n\nSubject:\n\tSecurity ID:\t\tT-E-S-T\n\tAccount Name:\t\tTEST$\n\tAccount Domain:\t\ttest\n\tLogon ID:\t\ttest\n\nService:\n\tServer:\tNT Test / Test\n\tService Name:\tTestProcess()\n\nProcess:\n\tProcess ID:\ttest\n\tProcess Name:\tC:\Windows\System32\test.exe\n\nService Request Information:\n\tPrivileges:\t\tTest"

I want to extract only "C:\Windows\System32\test.exe" from the message and add field.

How can I do that with filter of Logstash?

2

Have a look at the grok filter.

3

I am trying with grok filter. Could you give me any guidance? The filter below is not working.

  grok {
     match => { "message" => "(?<process_name>C\:*.exe)" }
  }
4

You're on the right track but your regexp is wrong. This should at least be closer:

(?<process_name>C:\\\S\.exe)

Literal backslashes need to be escaped, \S matches all non-whitespace characters, and periods should be escaped too. You should probably Include "Process Name" too since there might an .exe filepath somewhere else in the message.

5

Thank you for your feedback.

But it is not working. The process_name field is not added. :frowning:

Also I can't find any error logs at the logstash logs.

6

Try this, this should work :
(?<process_name>C:\\.*\.exe)

7

It works.

Thank you a lot!!

8

You're welcome :slight_smile: