Filter first match only using Grok or ruby code

rootk1d · October 4, 2022, 10:21am

I have a field that contains the following data

"REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-949-BLOCKING-EVALUATION, RESPONSE-980-CORRELATION

And I want to return the first item only ie: (REQUEST-941-APPLICATION-ATTACK-XSS), but when i use this grok filter

grok
    {
        match => {"attack_names" => "(?<attack>^[A-Z1-9-]+)"}
        remove_field => ["attack_names"]
    }

it return all occurrences

"REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-941-APPLICATION-ATTACK-XSS, REQUEST-942-APPLICATION-ATTACK-SQLI, REQUEST-949-BLOCKING-EVALUATION, RESPONSE-980-CORRELATION

So, I tried this ruby code:

ruby 
    {
 	code => "
    		saveid = event.get('attack_names').split(',')[0]
    		event.set('attack',saveid)
    		"
    }

but this dosen't seem to do anything and the field isn't added to the data.

So, what I'm doing wrong here?

Rios · October 4, 2022, 11:52am

Grok

grok
    {
        match => {"attack_names" => "%{USERNAME:attack},\s+"}
        remove_field => ["attack_names"]
    }

Use csv plugin on attack_names, rename only column1
Use mutate gsub to split by "," , your array will have 1st member [0]

system · November 1, 2022, 11:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use grok filter on XML field Logstash	6	944	June 20, 2019
How to get first match regex grok Logstash	1	268	April 2, 2020
Stop proccesing events/lines after first grok match Logstash	11	2780	February 9, 2020
How to send grok field into ruby Logstash	9	1075	June 25, 2018
Remove Specific Field matching pattern Logstash	5	764	April 19, 2023

Filter first match only using Grok or ruby code

Related topics