Filter an IP with Variable part

vtmtwwf · April 16, 2016, 3:13am

Hello everybody!
I am receiving logs from several routers in a building with 20 companies. I would like to identify my top 10 Internet destinations, but I would like to see the Name of the destination in my Kibana graphs, not the IP.
So I guess I might use DNS resolving (but I am afraid it's gonna be too many requests)... or I might use the Filter and Mutate function, but I need some help:

filter { if [dst_ip] == "31.13.95.14" { mutate { replace => [ "dst_ip", "BLUE-WEBSITE" ] } } }

Works fine for 1 IP. But BLUE-WEBSITE has more than 1 IP, it has several in the same subnet. So I would like to do something like this, can I?

filter { if [dst_ip] == "31.13.95.xxx" { mutate { replace => [ "dst_ip", "BLUE-WEBSITE" ] } } }

But this doesn't work at all, the XXX is not understood.

Does anyone has any clue? Thank you so much!
Vincent.

vtmtwwf · April 16, 2016, 4:32am

Hi there!

I've just found something that seems to work:

filter { if [dst_ip] =~ "(^31.13.95.)" { mutate { replace => [ "dst_ip", "BLUE-WEBSITE" ] } } }

But I am looking forward to read your good suggestions.
Vincent.

magnusbaeck · April 18, 2016, 9:09pm

Have a look at the translate filter.

Topic		Replies	Views
Conditional filtering by source with IP addresses Logstash	7	6999	April 11, 2017
Filter "logstash-filter-dns" doesn't work Logstash	1	452	August 10, 2018
How to filter with a few value? Kibana	8	696	February 20, 2018
Any alternatives to if and mutate? Logstash	3	693	July 6, 2017
How to match IP address to hostname (dns filter) Logstash	3	1569	October 19, 2020

Filter an IP with Variable part

Related topics