Hello,
I want to understand how to build grok filter since other posts did not make it clear enough for me.
Here are example lines I want to send:
30,05/10/22,07:30:27,DNS Update Request,<ip>,<name>,,,0,6,,,,,,,,,0
11,05/10/22,07:30:27,Renew,<ip>,<name>,04EA56A998EA,,303150361,0,,,,<MAC>.0,,,,0
31,05/10/22,07:30:27,DNS Update Failed,<IP>,<name>,,0,6,,,,,,,,,9004
Here is the filter i built:
input {
file {
path => [ "/etc/filebeat/dhcp/test.log" ]
add_field => { "testvalue" => "Shipped with logstash :)" }
start_position => "beginning"
}
}
filter {
grok{
match => { "message" => "%{code} %{DATE} %{TIME} %{EVENT} %{IP} %{NAME}" }
}
if "DNS" in [EVENT] {
drop {
}
}
}
output {
elasticsearch {
hosts => "https://elasticsearch:9200"
cacert => '/ca.crt'
user => 'logstash'
password => ?
index => "logstash-%{+yyyy.MM.dd}-dhcp"
}
}
I would like to filter the log lines in a way, in which it is represented as:
Code: x
Date: x
Time: x
IP: x
Name: x
Because currently it is one line(1:1 the same line as in the log file), which makes it hard to filter and work with