Extracting a field further after its been parsed by Grok Filter

rmoss25 · March 20, 2021, 11:23am

HI,
Is there a way to parse a field further after its already been parsed by grok? So after I parse out DN from the main message, I now want to parse DN further as it contains a username. So I want to parse out test.Test as a username after it already been parsed as DN.

12-MAR-21 00:43:38|158.98.214.94|15|CN=Test.Test,OU=alpha Users,OU=alpha,OU=Business Units,DC=alphadev,DC=dev,DC=abc,DC=ca|foJ16BD1/B42LI5Cfke/D4oDcUA=|TEST"

filter {
    grok   {
             match => { "message" => [ "%{GREEDYDATA:timestamp}\|%{IPV4:src_ip}\|%{WORD:event_id}\|%{GREEDYDATA:DN}\|%{NOTSPACE:session}\|%{WORD:application}" ] }
    remove_field => ["message"]
    grok
           }
           }

Felix_Roessel · March 20, 2021, 12:22pm

After the grok filter has applied the extracted fields are available for the next filters. So you could apply another grok after the first one.

rmoss25 · March 21, 2021, 12:12pm

Thanks,
I have tried to add the extra grok but I cant get logstash to start without errors on the syntax. Is it as simple as the below?

filter {
grok   {
         match => { "message" => [ "%{GREEDYDATA:timestamp}\|%{IPV4:src_ip}\|%{WORD:event_id}\|%{GREEDYDATA:DN}\|%{NOTSPACE:session}\|%{WORD:application}" ] }
grok
       {
        match => { "DN" => [\w+\=%{WORD:User}] }
       }
{
remove_field => ["message"]

       }
       }

Felix_Roessel · March 21, 2021, 8:29pm

Your first Grok has no closing bracket.
Thatswhy Logstash is not starting.