Help for writing a query

Hello, I have this message for example:

	<189>date=2018-02-13 time=15:05:47 devname=FG-ORDITECH-1 devid=FG100D3G16817009 logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" logtime=1518530747 srcip= srcport=7695 srcintf="port9" srcintfrole="dmz" dstip= dstport=443 dstintf="IPPack" dstintfrole="wan" poluuid="ca22462a-0b1d-51e7-ad36-c72a86e85a3b" sessionid=412109915 proto=6 action="close" policyid=346 policytype="policy" service="HTTPS" dstcountry="Austria" srccountry="Reserved" trandisp="snat" transip= transport=7695 appid=15816 app="Microsoft.Outlook" appcat="Email" apprisk="medium" applist="Application filtering" duration=2161 sentbyte=23332 rcvdbyte=39844 sentpkt=175 rcvdpkt=184 shapingpolicyid=10 shapersentname="Shared-AllPolicies-2.5Mb-Gar-Other" shaperdropsentbyte=0 shaperrcvdname="Shared-AllPolicies-2.5Mb-Gar-Other" shaperdroprcvdbyte=989 utmaction="allow" countapp=1

see the "<189>" I want to create a query that searches the number between the "<>", is it possible ? It's for watching the syslog alert message later.

Instead of trying to do this kind of parsing at query time (which can be slow and inefficient), I would recommend you parse out the data of the event into separate field, e.g. using Logstash or an ingest node pipeline.

I've read this and this
but I still have difficulties about how parsing out the element I want into a seperate field, I mean, how can I put <189> into a different field ?

You can parse the log message e.g. using a grok filter. For the sample data you provided it could look something like this:

  grok {
    match => { "message" => "<%{NUMBER:sev}>%{GREEDYDATA:kvlist}" }

  kv {
    source => "kvlist"
    remove_field => ["kvlist"]

Once you have separated out parts of your data you can further enrich it if needed.

Amazing. It works ! Thank you a lot.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.