How to determine if field contains a value?

inhinyera16 · August 22, 2017, 3:46am

Hello,

Here's my sample data in a field called "additional text"

"additionalText" : [
"A "commonMIBAlarm" event has occurred, from xxxxxx device, named xxxxxx Severity=major ComponentID=Navigation System&Name=Navigation Site&Name=CS ......
]

Now, what i wanted to accomplish is to parse few fields like severity, componentID using grok filter.

I have this in my filter,

if "commonMIBAlarm" in [additionalText] {
	grok {
		match => { "additionalText" => "%{GREEDYDATA:AddnlText_Status} Event Message: +%{GREEDYDATA:AddnlText_EventMessage} Description: +%{GREEDYDATA:AddnlText_Description} Severity = +%{GREEDYDATA:AddnlText_Severity} ComponentID = +%{GREEDYDATA:AddnlText_ComponentID} SourceIPAddress = +%{GREEDYDATA:AddnlText_SourceIPAddress} ErrCode = +%{GREEDYDATA:AddnlText_ErrCode} Alarm Data = +%{GREEDYDATA:AddnlText_AlarmData} Alarm Type = +%{GREEDYDATA:AddnlText_AlarmType} Probable Cause = +%{GREEDYDATA:AddnlText_ProbableCause}"}
	}
}

After running the logstash, the filter seems not working. It doesnt parse anything. Or maybe the problem is my conditional expression? Anyone can help me?

magnusbaeck · August 23, 2017, 8:56pm

The additionalText field is an array. If you always want to look at the first element of the array, try replacing [additionalText] and additionalText with [additionalText][0].

inhinyera16 · August 24, 2017, 6:34am

i need to look into all the elements, how ?

magnusbaeck · August 24, 2017, 2:38pm

Then you'll have to use a ruby filter.

system · September 21, 2017, 2:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.