Help with filtering message based on regex

judge · March 8, 2021, 3:42pm

Hi, I really need some help with logstash.

I a trying to filter messages based on content and send them to an alternative server for example:

{"type":"syslog","host":"1.1.1.1","@timestamp":"2021-03-08T13:18:55.722Z","message":"<14>Mar 8 14:04:21 myrouter1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 1.1.1.2/500->1.1.1.3/500 0x0 junos-ike 0x0 N/A N/

I want to pick out RT_FLOW_SESSION* with regex and tag the entry but I cannot seem to work out how to structure this.

my inputs and outputs are working fine, i have tested this using:

input 	{
	syslog {
		port => 514
			}
filter {if [host] == "1.1.1.1"{
mutate { add_tag => [router]}}

I have a number of IPs to match, but I think filtering based on a regex will be more efficient.

Thanks in advance.

Badger · March 8, 2021, 5:33pm

You could use grok

grok { match => { "message" => "RT_FLOW_SESSION_%{WORD:sessionOp}:" } }

judge · March 11, 2021, 7:46pm

Thank you Badger

system · April 8, 2021, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Pattern Help with message parsing Logstash	5	1450	July 6, 2017
Filter Not Working (Version 2.3.1) Logstash	5	1016	July 6, 2017
Quick Question on Grok and filtering Logstash	3	260	May 21, 2018
Logstash filter not working Logstash	3	303	December 21, 2018
Logstash Filter, is there a better way than mine Logstash	4	224	May 6, 2022

Help with filtering message based on regex

Related topics