How do I index regular expressions?

Joshua_Fox · January 31, 2018, 2:22pm

For log management, I want to build Kibana reports based on log lines like this:

2018-01-31 11:50:00.212 Loading the user images took 234 ms 
2018-01-31 10:23:01.984 Loading the user images took 331 ms 
2018-01-31 10:12:41.323 Loading the user images took 512 ms

So, the report would take lines with the string Loading the user images took

Then the regex would extract the number as in /took (\d+) ms/ and build a chart or notification.

How do I do this?

(Searching for this topic, I find discussion of regex queries and indexes but nothing about this functionality (which is quite basic in Splunk.)

Christian_Dahlqvist · January 31, 2018, 2:30pm

You can parse and extract values into separate fields in Logstash, e.g. using a grok filter. Then you can use these fields to build visualizations in Kibana.

system · February 28, 2018, 2:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.