Grok pattern

abkonred1 · November 1, 2022, 1:05pm

Hi Team,

I need to ingest the below log file, and i required all the fields without pipe. In order to create visualization and dashboards for the same. kindly any one please help, how to split the fields with this log event.

time=1666400383|hostname=XXXXXX|product=Firewall|layer_name=GLOABAL|layer_uuid=f978f8cb-69e7-4f2b-a4ef-ed3e6bbded54|match_id=143|parent_rule=0|rule_action=Accept|rule_name=95.49_..|rule_uid=6541202c-dfbb-4c4e-8c27-d10d63c55f0d|action=Accept|conn_direction=Outgoing|ifdir=inbound|ifname=bond3.3533|logid=0|loguid={0x685b2ca2,0x533605dd,0x4f6aaf1b,0xf009f746}|origin=10.174.129.129|sequencenum=538|time=1666400383|version=5|__policy_id_tag=product=VPN-1 & FireWall-1db_tag={1586140B-88A8-014F-A33B-6599BBD71827}|mgmt=usfwtamer01|date=1666357943|policy_name=AMERICAS-GDC-EXT|dst=149.154.167.51|lastupdatetime=1666400383|log_delay=1666400383|member_id=1_2|nat_addtnl_rulenum=0|nat_rule_uid=e7099cb0-b0ba-421a-91a3-b2990dee6e7d|nat_rulenum=1668|proto=6|s_port=51939|service=443|service_id=gTCP-Groove-443|src=10.112.195.14|xlatedport=0|xlatedst=0.0.0.0|xlatesport=45957|xlatesrc=199.49.20.51

leandrojmp · November 1, 2022, 2:33pm

You do not need to use grok with this, you need to use the kv filter and configure the field split to use the pipe character.

This filter will parse your message.

  kv {
    source => "message"
    field_split => "|"
    value_split => "="
  }

abkonred1 · November 1, 2022, 3:16pm

Ok Thanks for your prompt response.

Do we need to install kV filter or will it be available by default. Am using logstash 7.16.3 version on RHEL 7 OS . Let me know, how to install the plugin if required additionally.

ahmed_charafouddine · November 1, 2022, 3:59pm

it seems to me that the kv plugin is installed by default.

abkonred1 · November 2, 2022, 7:25am

@leandrojmp Thank you very much..it got worked.

If I need the fields specifically, for example "product" and "version" fields. what will be the best approach?

time=5666373355|hostname=uspilrapfwmlog5|product=System Monitor|ifdir=inbound|ifname=daemon|loguid={0x6355d6e9,0x0,0x8585ae0a,0x55955755}|origin=50.575.58.538|sequencenum=5|time=5666373355|version=5|sys_message:=installed defaultfilter

system · November 30, 2022, 7:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Split Logfiles Logstash	4	215	July 26, 2018
[SOLVED] Grok and split fields Logstash	5	8734	July 6, 2017
Split grok pattern Logstash	3	2827	July 6, 2017
How to split Grok Message Logstash	4	1459	December 12, 2018
Create and split some fields Logstash	8	1155	July 6, 2017

Grok pattern

Related topics