Hello,
I have event from Acces Point Dlink.
I can parse some events but for this type I need your help:
<6>1707130951,Src_MAC="9E:98:48:98:8E:81",Dst_MAC="EC:AD:E0:7D:5A:98",Src_IP="10.229.64.250",Dst_IP="17.57.146.172",Src_port="59602",Dst_port="5223",Protocol="TCP",SSID="CCN_WIFI_PUBLIC",Auth_type="",Channel="108",RSSI="-84",User_ID=""
Could you help me?
Thanks a lot
Hi,
It looks like a comma-separated list of key-value pairs. You can use the kv filter in Logstash to parse this. Here's an example of how you might do it:
filter {
kv {
source => "message"
field_split => ","
value_split => "="
trim_key => " "
trim_value => " "
remove_char_value => "\""
}
}
Regards
Thanks for your feedback.
If I use this configuration, I only have one line with no spaces in it.
How can I edit th grok match?
thanks a lot
At begging of the line, you have <6>1707130951, you can use grok or dissect and then apply KV which yago82 mentioned. Dissect is much easier.
dissect {
mapping => {
"message" => "<%{procid}>%{sessionid},%{msg}"
}
}
Change source
kv {
source => "msg"...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.