Hi
I have a working csv filter for a syslog event from Palo Alto (SYSTEM)
else if ([message] =~ /globalprotect/) {
csv {
source => "message"
columns => [
"FUTURE_USE", "Receive Time", "Serial Number", "Type", "Content/Threat Type", "FUTURE_USE", "Generated Time",
"Virtual System", "Event ID", "Object", "FUTURE_USE", "FUTURE_USE", "Module", "Severity", "Description",
"Sequence Number", "Action Flags", "Device Group Hierarchy Level 1", "Device Group Hierarchy Level 2",
"Device Group Hierarchy Level 3", "Device Group Hierarchy Level 4", "Virtual System Name", "Device Name"
]
}
mutate {
add_tag => [ "PAN-OS_GlobalProtect"]
}
}
So and now i want to add a grok filter to split the description field into multiple fields:
GlobalProtect %{WORD:GP-VPNType} (user|client) %{WORD:GP-EventAction} %{WORD:GP-EventResult}. Login from: %{IP:GP-IP}, Source region: %{GREEDYDATA:GP-SourceRegion}, User name: %{USERNAME:GP-Username}?[.\\\",] %{GREEDYDATA:GP-Details}
The grok filter is working (tested with the debugger)
But i really don't know how to combine this two things 
Thank you very much for your help!
Kind Regards
Kevin