Get value from message and put it into new field

AstroSlazak · October 24, 2019, 11:12am

Hi,

I have a problem i want to get Longitude and Latitude from log:
"2019-10-24 12:01:06,110 [33] INFO XUDP_Endpoint.UdpEnpoint [(null)] - Data received: AS:17907,NW:77,RD:3003,DT24.10.2019 10.01.05, Longitude:10,457207 ,Latitude:63,4354383 ,Bearing:0,Accuracy:0,Lastr: 0,Distance:-1,GPS: 0,Distance: 0 "

right now i get message:
"Data received: AS:17907,NW:77,RD:3003,DT24.10.2019 10.01.05,Longitude:10,457207,Latitude:63,4354383,Bearing:0,Accuracy:0,Lastr: 0,Distance:-1,GPS: 0,Distance: 0"

and i want keep it and create two fields: "Longitude and Latitude" which then i want map to geo_point and display on map. How i suppose to do it ?
I Create this but it seems doesn't work, it even do not create a new field.

filter {
if "log4net.core" in [tags] {
 grok {
  match => { "message" => "(?m)^%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:thread}\] % {DATA:level} %{DATA:logger} - %{GREEDYDATA:message}" }
  overwrite => [ "message" ]
}
date {
  match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss.SSSS" ]
  timezone => "Europe/Warsaw"
}

if [service.name] == "XXX" {
mutate{
add_field => { "XXXLon" => "%{message}(?<=Longitude:)[0-9]+(,[0-9]+)*" }
		}
mutate{
gsub => ["XXXLon", ",", "."]
}
}

Badger · October 24, 2019, 3:23pm

add_field does not interpret regular expressions. Try

    grok { match => { "message" => [ "Longitude:(?<Longitude>[0-9]+,[0-9]+)*", "Latitude:(?<Latitude>[0-9]+,[0-9]+)*" ] } break_on_match => false }
    mutate{ gsub => ["Latitude", ",", ".", "Longitude", ",", "." ] }

AstroSlazak · October 25, 2019, 4:16am

Thank you very much that was what i was looking.

But i have one more problem now, when i want to create fields which i will then map to geo_point like below i get in kibana diffrent message, but when i remove to convert to float, message is ok :

	if [service][name] == "XXX" {
grok { match => { "message" => [ "Longitude:(?<Longitude>[0-9]+,[0-9]+)*", "Latitude:(?<Latitude>[0-9]+,[0-9]+)*" ] } break_on_match => false }
mutate{ gsub => ["Latitude", ",", ".", "Longitude", ",", "." ] }

mutate {
copy => {
  "Latitude" => "[XXXLocation][Latitude]"
  "Longitude" => "[XXXLocation][Longitude]"
}
}
mutate {
	convert => {"[XXXLocation][Latitude]" => "float" }}

mutate {
	convert => {"[XXXLocation][Longitude]" => "float" }}

}

what is going on ?

Ok i get it. Change to that works.

mutate {
	convert => {"[XXXLocation][Lat]" => "float" }}

mutate {
	convert => {"[XXXLocation][Lon]" => "float" }}

system · November 22, 2019, 4:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.