Help using logstash dissect filtering

retroisbest · May 20, 2019, 2:36pm

Hi there,
I'm trying to map my fields using dissect, my data has no common delimiter apart from spaces.

My filter section in logstash config looks like this

 if [type] == "syslog"
{
    dissect {
      mapping => {
      "message" => "%{IP_Address->} %{LMonth} %{LDay} %{LTime} %{Host_Name} %{Facility} %{Priority} %{Tag} %{Message}"
               }
       } 
 }

Yet my mapped fields contain data that should of been split

192.168.2.1 May 20 15:29:44 kern warning kernel DROP_INPUT IN=red0 OUT= MAC=d4:ae:52:a0:84:fb:00:57:d2:79:93:c2:08:00 SRC=xx.xx.xx.xx DST=xx.xx.xx.xx LEN=443 TOS=0x00 PREC=0x00 TTL=48 ID=34493 DF PROTO=UDP SPT=5077 DPT=1023 LEN=423

So my IP_Address field contains "192.168.2.1 May" This is the same then for the fields that follow.

Any help you be greatly appreciated!
Thankyou

Badger · May 20, 2019, 4:35pm

Is the separator between the IP address and the month actually a tab rather than a space?

retroisbest · May 21, 2019, 7:27am

Yes it is...it seems to be a space and a tab after some fields, can i use a literal tab or is there a character to be used?

For future reference its a literal tab, thanks for pointing me in the right way @Badger

system · June 18, 2019, 7:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.