How to determine if field contains a value?

Elastic Stack Logstash
1

Hello,

Here's my sample data in a field called "additional text"

"additionalText" : [
"A "commonMIBAlarm" event has occurred, from xxxxxx device, named xxxxxx Severity=major ComponentID=Navigation System&Name=Navigation Site&Name=CS ......
]

Now, what i wanted to accomplish is to parse few fields like severity, componentID using grok filter.

I have this in my filter,

if "commonMIBAlarm" in [additionalText] {
	grok {
		match => { "additionalText" => "%{GREEDYDATA:AddnlText_Status} Event Message: +%{GREEDYDATA:AddnlText_EventMessage} Description: +%{GREEDYDATA:AddnlText_Description} Severity = +%{GREEDYDATA:AddnlText_Severity} ComponentID = +%{GREEDYDATA:AddnlText_ComponentID} SourceIPAddress = +%{GREEDYDATA:AddnlText_SourceIPAddress} ErrCode = +%{GREEDYDATA:AddnlText_ErrCode} Alarm Data = +%{GREEDYDATA:AddnlText_AlarmData} Alarm Type = +%{GREEDYDATA:AddnlText_AlarmType} Probable Cause = +%{GREEDYDATA:AddnlText_ProbableCause}"}
	}
}

After running the logstash, the filter seems not working. It doesnt parse anything. Or maybe the problem is my conditional expression? Anyone can help me?

2

The additionalText field is an array. If you always want to look at the first element of the array, try replacing [additionalText] and additionalText with [additionalText][0].

3

i need to look into all the elements, how ?

4

Then you'll have to use a ruby filter.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.