Help with grok filter

Hello,

I am dificult with Grok Filter this message:

loc=45671|time=2017-11-27 18:35:02|action=HTTPS Inspect|orig=10.212.12.31|i/f_dir=inbound|i/f_name=eth1.315|has_accounting=0|uuid=<00000000,00000000,00000000,00000000>|product=HTTPS Inspection|https_inspection_action=Inspect|src=10.123.124.21.12|s_port=52401|dst=10.112.123.123|service=8080|proto=tcp|HTTPS_inspection_rule_id={D2FCC216-3C25-45CE-B24E-971C603D4141}|HTTPS_inspection_rule_name=SSL Inspection|app_category=Computers / Internet|matched_category=Computers / Internet|app_properties=Computers / Internet,Social Networking,URL Filtering|resource=video-gru2-1.xx.fbcdn.net|user=joaosilva(+)|src_user_name=joaosilva(+)|snid=c09ffa3c|__policy_id_tag=product=VPN-1 & FireWall-1[db_tag={5FF5BDB6-9BD3-044F-9F28-23AB0125A137};mgmt=FW-INTERNET;date=1511814737;policy_name=Standard]|origin_sic_name=cn=cp_mgmt,o=FW-INTERNET-BR-BDC1..9si37asv

I need create filter of log...

with fields:

-Action
-Orig
-Src
-Dst
-__policy_id_tag
-user
-resource

Can someone help me with this pattern?

Hi Rafael,

Here you can find the pattern for the first 4 fields:

loc=%{NUMBER:loc}|time=%{GREEDYDATA:date}|action=%{DATA:action}|orig=%{IP:ip}

the rest of the pattern is pretty much the same. You can use grok constructor website to help you building patterns. The core patterns of logstash are based on github too.

Please let me know if it helps.

Cheers,
LG

1 Like

Hi,

You don't necessarily need to use grok. A combination of grok with kv filter will work as well. Did you try using the following filter plugin?

https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html

Regards,
N

2 Likes

I Understand the patterns now.

But , I will use the KV filter, much easier , rs...

Thank you so much.

1 Like

Wol, The KV filter is perfect.

Its works with parameters:

kv {
field_split => "|"
value_split => "="
}

Thanks.

1 Like

Now, I have all fields in format String and I need make a dashboard that sum of two values. Any idea?

Hi Rafael,

This question has already been answered on the forum.

Also, you should not ask all your questions in the same thread. You should create a new thread if the current doubt is solved.

Regards,
N

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.