Get value from message and put it into new field

AstroSlazak · October 24, 2019, 11:12am

Hi,

I have a problem i want to get Longitude and Latitude from log:
"2019-10-24 12:01:06,110 [33] INFO XUDP_Endpoint.UdpEnpoint [(null)] - Data received: AS:17907,NW:77,RD:3003,DT24.10.2019 10.01.05, Longitude:10,457207 ,Latitude:63,4354383 ,Bearing:0,Accuracy:0,Lastr: 0,Distance:-1,GPS: 0,Distance: 0 "

right now i get message:
"Data received: AS:17907,NW:77,RD:3003,DT24.10.2019 10.01.05,Longitude:10,457207,Latitude:63,4354383,Bearing:0,Accuracy:0,Lastr: 0,Distance:-1,GPS: 0,Distance: 0"

and i want keep it and create two fields: "Longitude and Latitude" which then i want map to geo_point and display on map. How i suppose to do it ?
I Create this but it seems doesn't work, it even do not create a new field.

filter {
if "log4net.core" in [tags] {
 grok {
  match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:thread}\] % {DATA:level} %{DATA:logger} - %{GREEDYDATA:message}" }
  overwrite => [ "message" ]
}
date {
  match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss.SSSS" ]
  timezone => "Europe/Warsaw"
}

if [service.name] == "XXX" {
mutate{
add_field => { "XXXLon" => "%{message}(?<=Longitude:)[0-9]+(,[0-9]+)*" }
		}
mutate{
gsub => ["XXXLon", ",", "."]
}
}

Badger · October 24, 2019, 3:23pm

add_field does not interpret regular expressions. Try

    grok { match => { "message" => [ "Longitude:(?<Longitude>[0-9]+,[0-9]+)*", "Latitude:(?<Latitude>[0-9]+,[0-9]+)*" ] } break_on_match => false }
    mutate{ gsub => ["Latitude", ",", ".", "Longitude", ",", "." ] }

AstroSlazak · October 25, 2019, 4:16am

Thank you very much that was what i was looking.

But i have one more problem now, when i want to create fields which i will then map to geo_point like below i get in kibana diffrent message, but when i remove to convert to float, message is ok :

	if [service][name] == "XXX" {
grok { match => { "message" => [ "Longitude:(?<Longitude>[0-9]+,[0-9]+)*", "Latitude:(?<Latitude>[0-9]+,[0-9]+)*" ] } break_on_match => false }
mutate{ gsub => ["Latitude", ",", ".", "Longitude", ",", "." ] }

mutate {
copy => {
  "Latitude" => "[XXXLocation][Latitude]"
  "Longitude" => "[XXXLocation][Longitude]"
}
}
mutate {
	convert => {"[XXXLocation][Latitude]" => "float" }}

mutate {
	convert => {"[XXXLocation][Longitude]" => "float" }}

}

what is going on ?

Ok i get it. Change to that works.

mutate {
	convert => {"[XXXLocation][Lat]" => "float" }}

mutate {
	convert => {"[XXXLocation][Lon]" => "float" }}

system · November 22, 2019, 4:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with filter to create Latitude and Longitude fields Logstash	1	9	September 5, 2024
Creating a map with Latitude and logitude fields - ERROR Logstash	3	262	November 23, 2021
Help to create new field from message Logstash	2	312	February 20, 2023
Extracting data from message Logstash	2	383	July 18, 2018
Extracting a new field from the message field Logstash	9	4884	April 6, 2020

Get value from message and put it into new field

Related topics