Filter multiple spaces with a single Dissect field?

drivera · January 21, 2019, 7:55pm

Hello, I am trying to extract the message part of the event below which starts at "Not able to... " without having to use multiple %{+error_message} fields but only a single field. Is that possible?

17.01.2019 17:16:23.175 WARN [10.43.32.119 [1547745383173] GET /content/regent.html HTTP/1.1] com.adobe.fd.core.security.internal.CurrentUserServiceImpl Not able to find user for userId [anonymous]

my LS config file looks like this and it works but trying to be more efficient with less lines in my code.

input {
file {
path => "/root/logstash/aemlog"
sincedb_path => "/dev/null"
start_position => "beginning"
}
}

filter {
dissect {
mapping => {
"message" => "%{syslog_timestamp} %{+syslog_timestamp} %{severity} [%{ip} %{?skip1} %{method} %{file} %{version}] %{?skip2} %{error_message} %{+error_message} %{+error_message} %{+error_message} %{+error_message} %{+error_message} %{+error_message} [%{username}] "
}
}
}

The output looks like:
"error_message" => "Not able to find user for userId",
"severity" => "WARN",
"method" => "GET",
"ip" => "10.43.32.13",
"version" => "HTTP/1.1",
"file" => "/content/regent.html",
"syslog_timestamp" => "17.01.2019 17:16:13.135",
"username" => "anonymous]"

Thank you

Christian_Dahlqvist · January 21, 2019, 8:52pm

As you have a space followed by a square bracket at the end of the error message I think you can simplify it:

input {
  generator {
    lines => ['17.01.2019 17:16:23.175 WARN [10.43.32.119 [1547745383173] GET /content/regent.html HTTP/1.1] com.adobe.fd.core.security.internal.CurrentUserServiceImpl Not able to find user for userId [anonymous]']
    count => 1
  } 
} 

filter {
  dissect {
    mapping => {
      "message" => "%{syslog_timestamp} %{+syslog_timestamp} %{severity} [%{ip} %{} %{method} %{file} %{version}] %{} %{error_message} [%{username}]%{}"
    }
  }
}

output {
  stdout { codec => rubydebug }
}

drivera · January 21, 2019, 10:40pm

Thanks Christian! that really worked, below is my output with only one dissect field for the error_message. Definitely more efficient. Thank you!

"severity" => "WARN",
"error_message" => "Not able to find user for userId",
"method" => "GET",
"ip" => "10.43.32.13",
"syslog_timestamp" => "17.01.2019 17:16:13.135",
"@version" => "1",
"username" => "anonymous"

system · February 18, 2019, 10:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.