Help to create new field from message

Sam_1995 · January 23, 2023, 5:09am

Hello,

I m looking for a way (maybe with grok), to create new field by extracting some specified pattern but with keeping the field message without modification after operation

Example Pattern

2023-01-23 10:33:25 [ALB-ID : Root=1-63ce151d-11eb303302cfe4382c61a851] [7640768e8bb07414] [7640768e8bb07414] [boundedElastic-144] INFO c.o.a.decorators.DataDecorator.processResponse(105) - requestId: 99f49b2e-186493, method: POST, url: /api/Communication/acl/webhook, RawStatusCode :200 TOTAL_TIME_TAKEN :26ms

Need to create new field TOTAL_TIME_TAKEN with value 26ms

thx a lot for help

Rios · January 23, 2023, 8:27am

If you like to separate the number and the unit:

grok {
      match => { "message" => "TOTAL_TIME_TAKEN :%{INT:totaltimetaken:int}%{GREEDYDATA:unit}" }
 }

Or you want in a single value:
match => { "message" => "TOTAL_TIME_TAKEN :TOTAL_TIME_TAKEN :%{GREEDYDATA:totaltimetaken}" }

system · February 20, 2023, 8:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create new field from existing field using REGEX Logstash	4	1055	November 21, 2019
Extracting a new field from the message field Logstash	9	4858	April 6, 2020
How to create a new field by extracting data from already generated field? Logstash	5	461	November 7, 2018
Logstash filter to create a subfield based on specific text in a log message Logstash	2	168	December 24, 2023
How to create a field that filters the data Elasticsearch	1	130	August 29, 2023

Help to create new field from message

Related Topics