Help to create new field from message

Sam_1995 · January 23, 2023, 5:09am

Hello,

I m looking for a way (maybe with grok), to create new field by extracting some specified pattern but with keeping the field message without modification after operation

Example Pattern

2023-01-23 10:33:25 [ALB-ID : Root=1-63ce151d-11eb303302cfe4382c61a851] [7640768e8bb07414] [7640768e8bb07414] [boundedElastic-144] INFO c.o.a.decorators.DataDecorator.processResponse(105) - requestId: 99f49b2e-186493, method: POST, url: /api/Communication/acl/webhook, RawStatusCode :200 TOTAL_TIME_TAKEN :26ms

Need to create new field TOTAL_TIME_TAKEN with value 26ms

thx a lot for help

Rios · January 23, 2023, 8:27am

If you like to separate the number and the unit:

grok {
      match => { "message" => "TOTAL_TIME_TAKEN :%{INT:totaltimetaken:int}%{GREEDYDATA:unit}" }
 }

Or you want in a single value:
match => { "message" => "TOTAL_TIME_TAKEN :TOTAL_TIME_TAKEN :%{GREEDYDATA:totaltimetaken}" }

system · February 20, 2023, 8:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.