Help for writing a query

Adren · February 13, 2018, 2:28pm

Hello, I have this message for example:

	<189>date=2018-02-13 time=15:05:47 devname=FG-ORDITECH-1 devid=FG100D3G16817009 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" logtime=1518530747 srcip=192.168.21.12 srcport=7695 srcintf="port9" srcintfrole="dmz" dstip=40.101.70.2 dstport=443 dstintf="IPPack" dstintfrole="wan" poluuid="ca22462a-0b1d-51e7-ad36-c72a86e85a3b" sessionid=412109915 proto=6 action="close" policyid=346 policytype="policy" service="HTTPS" dstcountry="Austria" srccountry="Reserved" trandisp="snat" transip=212.166.55.194 transport=7695 appid=15816 app="Microsoft.Outlook" appcat="Email" apprisk="medium" applist="Application filtering" duration=2161 sentbyte=23332 rcvdbyte=39844 sentpkt=175 rcvdpkt=184 shapingpolicyid=10 shapersentname="Shared-AllPolicies-2.5Mb-Gar-Other" shaperdropsentbyte=0 shaperrcvdname="Shared-AllPolicies-2.5Mb-Gar-Other" shaperdroprcvdbyte=989 utmaction="allow" countapp=1

see the "<189>" I want to create a query that searches the number between the "<>", is it possible ? It's for watching the syslog alert message later.

Christian_Dahlqvist · February 13, 2018, 2:41pm

Instead of trying to do this kind of parsing at query time (which can be slow and inefficient), I would recommend you parse out the data of the event into separate field, e.g. using Logstash or an ingest node pipeline.

Adren · February 13, 2018, 3:01pm

I've read this
https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html and this
https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html
but I still have difficulties about how parsing out the element I want into a seperate field, I mean, how can I put <189> into a different field ?

Christian_Dahlqvist · February 13, 2018, 3:18pm

You can parse the log message e.g. using a grok filter. For the sample data you provided it could look something like this:

  grok {
    match => { "message" => "<%{NUMBER:sev}>%{GREEDYDATA:kvlist}" }
  }

  kv {
    source => "kvlist"
    remove_field => ["kvlist"]
  }

Once you have separated out parts of your data you can further enrich it if needed.

Adren · February 13, 2018, 3:39pm

Amazing. It works ! Thank you a lot.

system · March 13, 2018, 3:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.