Afternoon all,
We are utilizing metricbeat to send host info by using the metadata that is described in this article. It eventually gives me a field that is populated with IPs from all of the network adapters:
"host": {
"geo": {
"name": "nyc-dc1-rack1",
"region_iso_code": "NY",
"country_iso_code": "US",
"continent_name": "North America",
"city_name": "New York",
"location": "40.7128, -74.0060",
"region_name": "New York"
},
"name": "lulherro",
"ip": [
"fe80::d55c:7b6:e4a9:75ce",
"10.3.87.127",
"fe80::2827:c72f:c34:a5fb",
"169.254.165.251",
"fe80::55bc:c197:969c:d531",
"169.254.213.49",
"fe80::75:adc8:a95b:a3f8",
"169.254.163.248",
"fe80::5072:8bd2:f703:4252",
"169.254.66.82"
],
My end goal is to parse out a valid IPV4 (non 169) so I can end up doing a subnet query to get client's location based on subnet.
I am trying to parse out a valid IP from this array:
fe80::d55c:7b6:e4a9:75ce, 10.3.87.127, fe80::2827:c72f:c34:a5fb, 169.254.165.251, fe80::55bc:c197:969c:d531, 169.254.213.49, fe80::75:adc8:a95b:a3f8, 169.254.163.248, fe80::5072:8bd2:f703:4252, 169.254.66.82
169.254.66.82
169.254.66.82
169.254.66.82169.254.66.82
169.254.66.82
If I use %{IPV4:validIP}
as the grok filter using https://grokdebug.herokuapp.com/:
However, when I use logstash like so:
if [host][ip] {
grok {
match => {"[host][ip]" => '%{IPV4:validIP}'}
}
}
I get data showing up like this:
"validIP": [
"10.3.87.127",
"169.254.165.251",
"169.254.213.49",
"169.254.163.248",
"169.254.66.82"
],
How do I get logstash to only match non 169 values like it did on the grok debug site above?
Thanks,
Raged