Extracting the message and adding new fields dynamically

Santhosh_ic · April 2, 2018, 10:04am

Hi,

I have below mentioned log events. From the last part, slog_message, "GREEDYDATA" in the grok, I would like to match again on that and extract various data out of it. For example, device id's, usernames etc. How can that be achieved? I want to create Kibana dashboards grouped by the device ids or usernames etc.

==========Log events=================
2018/02/09 09:21:08.800 CONSOLE 7aab3115-03e8-42d4-94ed-a7af754ffa6e [0000000-0000000] (12) Info a.b.c.d.e.listener 0 Agent Profiles To Install For Device ID 2
2018/03/30 09:47:35.081 CONSOLE 95e3c58a-07bc-4354-8f71-0f3d133daa43 [0000000-0000000] (8) Info a.b.c.d.e.LoginController Invalid user for console login: adminafaff
2018/03/30 09:47:35.081 CONSOLE 597bd229-3f41-49ac-9e44-6559dcb63a81 [0000000-0000000] (10) Info a.b.c.Web.d.e.authenticate User is not logged in, redirecting to login page
2018/03/30 09:47:35.128 CONSOLE 95e3c58a-07bc-4354-8f71-0f3d133daa43 [0000000-0000000] (8) Info a.b.c.Web.d.e.Controllers.LoginController New invalid user: adminafaff

==========Configuration=================
input {
beats {
port => 5044
}
}

filter {
grok {
match => {"message" => "(?<slog_date>^\d{4}/\d{2}/\d{2})\s{1,}%{TIME: slog_time_stamp}\s{1,}%{USERNAME:slog_host}\s{1,}%{UUID:slog_uuid}\s{1,}(?<slog_thread-id>[[0-9-]+])\s{1,}((?<slog_pid>[0-9]+))\s{1,}%{LOGLEVEL:slog_level}\s{1,}%{GREEDYDATA:slog_message}"}
}

//Something of this sort.
if [slog_message] =~ "New invalid user:" {
//extract the username from the slog_message
match => {slog_message => "^[a-zA-Z.]+\s{1,}New invalid user:\s{1,}(?<invalid_user>[a-zA-Z]+)\s{0,}$"}
}
if [slog_message] =~ "Device ID" {
//extract device id "2"
}
if [slog_message] =~ "Invalid user for console login:" {
//extract the username
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

magnusbaeck · April 3, 2018, 6:29pm

//Something of this sort.
if [slog_message] =~ "New invalid user:" {
//extract the username from the slog_message
match => {slog_message => "^[1]+\s{1,}New invalid user:\s{1,}(?<invalid_user>[a-zA-Z]+)\s{0,}$"}
}

You're close:

//Something of this sort.
if [slog_message] =~ "New invalid user:" {
  grok {
    //extract the username from the slog_message
    match => {slog_message => "^[a-zA-Z.]+\s{1,}New invalid user:\s{1,}(?<invalid_user>[a-zA-Z]+)\s{0,}$"}
  }
}

a-zA-Z. ↩︎

Santhosh_ic · April 11, 2018, 5:39am

Thank you @magnusbaeck for the quick response. That worked.

Was my approach the efficient or the right way to do? Are there any other better ways of achieving it?

magnusbaeck · April 11, 2018, 5:59am

You could've just skipped the conditional and tried the grok filter with tag_on_failure set to an empty array.

Santhosh_ic · April 23, 2018, 10:08am

@magnusbaeck can this step be done with elastic search instead of doing this in the log stash phase? If we can, then how to do it with elastic search?
Which is more efficient? groking in log-stash or doing it with elastic search?

magnusbaeck · April 23, 2018, 10:35am

You should be able to set up an Elasticsearch ingest pipeline to perform the same thing. I don't know which options performs best.

Santhosh_ic · April 23, 2018, 2:44pm

Thank you for a quick response.

system · May 21, 2018, 2:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract Data from message to display each field as a column in kibana Logstash	10	10177	April 6, 2018
Extract specifc field from greedydata Logstash	5	663	July 1, 2019
Extracting fields from path and adding them to new elapsed events Logstash	1	238	October 22, 2019
Extracting a new field from the message field Logstash	9	4858	April 6, 2020
Regex Pattern to fetch field from message Logstash	2	299	January 17, 2023

Extracting the message and adding new fields dynamically

Related Topics