Hi,
Very new to logstash and grok filtering and I expect this is a really easy thing to do but I've been stuck on it all day after googling lots and not figuring it out. Any help would be very appreciated!
I'm looking to setup a Juniper pipeline and have my logs coming in and the beginning of the grok code works fine but I'm now up to the part of the log where it lists fields like:
logical-system-name="XXXX-SYS" source-address="10.x.x.x"
I want to discard what's before the quotes (and the double quotes themselves) and extract only what's in between the double quotes so I can parse them like:
logical-system-name: james
source-address: 10.22.33.44
At the moment my output in Kibana looks like:
logical-system-name: logical-system-name="james"
source-ip: source-address="10.22.33.44"
I've tried grok debugger and this actually works
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_sushi_hostname} %{POSINT:syslog_pid} %{TIMESTAMP_ISO8601:syslog_isotimestamp} %{DATA:fw_hostname} %{DATA:apptrack_status} %{DATA:dash} %{DATA:reason_message} %{DATA:james_juno_message} logical-system-name="%{DATA:logical-system-name}" %{GREEDYDATA:syslog_message}"
...but when I copy to Kibana and watch logs come in they stop.
I've also read a lot about mutate & gsub but can't figure it our and not sure how it would be used to discard the beginning of the field which I'm not interested in keeping.
Thanks
James