Help splitting field into two

rblumenthal · April 25, 2019, 12:57pm

Hey folks,

I am sending logs from Windows server using winlogbeat to logstash (6.6). The field that I am trying to split has 2 IP addresses separated by a comma. How can I go about and create 2 new fields (FirstIP and SecondIP)? There will only ever be a max of 2 IPs, but sometimes only 1.

Field:
event_data.param5

I tried doing something like this but filters are not my strong point by any means.

filter {
mutate {
split => ["event_data.param5", ","]
add_field => { "FirstIP" => "%{[event_data][param5], 0}" }
}
}

The new field, FirstIP, just appears as: %{[event_data][param5], 0}

Any assistance or guidance would be great. Thanks

Badger · April 25, 2019, 2:05pm

Surrounding a field in a grok filter with ( )? makes it optional, so the following

grok { match => { "message" => "%{IPV4:ip1}(,%{IPV4:ip2})?" } }

will match both of these

128.0.0.0
126.0.0.0,125.0.0.1

rblumenthal · April 25, 2019, 2:48pm

Great thank you. That was exactly what I needed!

Badger · April 25, 2019, 3:01pm

There is

%{EMAILADDRESS:email}

but it is a pretty narrow definition of an email address. It does not match UUCP bang paths, for example, like "mcvax!foo"@somehost.com, and will not recognize TLDs in non-Latin characters, so if your email address is in the онлайн domain it is not going to match it.

rblumenthal · April 25, 2019, 3:02pm

Ok thank you. I had just found that. I appreciate the help.

system · May 23, 2019, 3:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Splitting IP addresses Logstash	3	920	April 26, 2018
Logstash and Split Logstash	5	256	April 15, 2021
Not able to create separate fields all log data in message field Logstash	3	284	July 29, 2019
Configure two types of data in logstash filter Logstash	3	313	August 13, 2019
Logstash - How to split this field Logstash	3	283	July 19, 2019

Help splitting field into two

Related topics