Extract information from text and add as value to new field using grok and regular expression

Tyngd_Punkt · July 12, 2016, 8:34am

Hello,

I'm a total newbie. I monitor a twitter feed using ELK. I want to be able to visualize in Kibana based on CVE numbers. I have been trying to use grok to add a new filed containing only a CVE number if it can be found in the text. I want to make it case insensitive and if possible also add multiple fields if more than one CVE number could be found.

A CVE number typically looks like this CVE-2016-2345 or CVE-2015-2312 and may exist anywhere in the Twitter text.

This is what i have now and it's not working. It correctly adds the filed but the value is the full text from Twitter where i only want it to be the extracted CVE number.

filter {
    grok {
        match => [
            'text',
            '(CVE-[0-9]{4}-[0-9]{4})']
            add_field => [ "CVE" , "%{text}"]
    }
}

magnusbaeck · July 12, 2016, 8:40am

grok {
  match => ["text", "(?<cve>CVE-\d{4}-\d{4})"]
}

Not sure if you can get it to swoop up all CVEs. As written above it'll just pick up the first match (if any). You may have to use the ruby filter for that.

Tyngd_Punkt · July 12, 2016, 8:45am

Thanks a lot it works just perfect. I will look into the Ruby filter my self