Hi,
I'm logging events based on customer account numbers. However, at that point in the system, our software is not aware of the accountName.
Now I know it's a bit of a workaround, but since it is not really possible to make our software aware of the accountNames, I thought it might be possible in Grok while it's parsing the message.
What i would love to do is:
- Grok reads the nummerid account ID from eg: field1=123
- A list of accountID's and their relevant accountNames resides on the hard drive or inline of the configfile
- A bash script or Grok function to find the accountName for this number
- Grok to add a new field to the logmessage: field2="someAccountName"
Is something possible at all, and if yes how expensive would this be performance wise?
In case anyone has an idea on how this can be done, kindly point me in the right direction, as i was unable to discover a sane way to deal with this yet.
Thanks!