How can a public field be filtered by a grok regular expression for multiple unordered logs containing public fields?


(sun_changlong) #1

For example, the following are the contents of the log:

label1=aaa ecorder=taw vsid=3 sub_type=bbbb dst_addr=1.1.1.1
label2=ttt dst_addr=1.1.1.1 vsid=3 sub_type=bbbbtest
der=taaa label3=www dst_addr=1.1.1.1 vsid=3 sub_type=bbbbtest
eco=daf dst_addr=1.1.1.1 label1=aaa vsid=3 sub_type=bbbbtest

They all contain public fields: dst_addr, sub_type, vsid;
Can I filter out public fields using only one grok regular expression statement and send them to elasticsearch??


(Christian Dahlqvist) #2

It seems like the kv filter would be better suited than grok for that type of data.


(sun_changlong) #3

Hi.Christian_Dahlqvist:
I just want to send some content to elasticsearch. for example ,the log is :

label1 = aaa ecorder = taw vsid = 3 sub_type = bbbb dst_addr = 1.1.1.1

i just want to send sub_type and dst_addr to the elasticsearch,as a field index.The order of the log content is different each time, but both contain this field.Can this help me?
If it can, can you give me an example? Thank you very much.


(sun_changlong) #4

Hi,Christian_Dahlqvist. I successfully filtered by using the settings below, thank you for your tips

kv {
   source => "message"
   field_split => " ?"
   value_split => "="
   include_keys => ["dst_addr","sub_type"]
 }

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.