Help splitting field into two

Elastic Stack Logstash
1

Hey folks,

I am sending logs from Windows server using winlogbeat to logstash (6.6). The field that I am trying to split has 2 IP addresses separated by a comma. How can I go about and create 2 new fields (FirstIP and SecondIP)? There will only ever be a max of 2 IPs, but sometimes only 1.

Field:
event_data.param5

I tried doing something like this but filters are not my strong point by any means.

filter {
mutate {
split => ["event_data.param5", ","]
add_field => { "FirstIP" => "%{[event_data][param5], 0}" }
}
}

The new field, FirstIP, just appears as: %{[event_data][param5], 0}

Any assistance or guidance would be great. Thanks

2

Surrounding a field in a grok filter with ( )? makes it optional, so the following

grok { match => { "message" => "%{IPV4:ip1}(,%{IPV4:ip2})?" } }

will match both of these

128.0.0.0
126.0.0.0,125.0.0.1
1 Like
3

Great thank you. That was exactly what I needed!

4

There is

%{EMAILADDRESS:email}

but it is a pretty narrow definition of an email address. It does not match UUCP bang paths, for example, like "mcvax!foo"@somehost.com, and will not recognize TLDs in non-Latin characters, so if your email address is in the онлайн domain it is not going to match it.

5

Ok thank you. I had just found that. I appreciate the help.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.