How to extract a specific string from a log after a match in grok filter?

WarriorHarb · March 22, 2019, 10:06am

Hello,
So i have a multi-lined log, each line has a format, after creating a grok filter that detects the keyword "callid" ,i would like to extract the ID right after that keyword and save it to a new field. here is a sample of 3 lines from the log file:

Jan 21 14:00:34.499 OPCM35AVCS207 VCS: [0x00001dfc] ScriptManager 0x11111111 for thread 0x22222222 for tenant ******** has removed a thread. Total: 1 thread(s).
Jan 21 14:00:34.499 OPCM35AVCS207 VCS: [0x00001dfc] CSScriptCall::Release DELETE callid=0x0a0a0a0a0a0a0a0a Hitsign hi
Jan 21 14:00:34.499 OPCM35AVCS207 VCS: [0x00001dfc] CCall destroyed at 0x4691aa28

i would like to extract that 0x0a0a0a0a0a0a0a0a into a new field. (note that all of those IDs have the same length 18 caracters), i have created a GROK filter that detects every line that has the word "callid" and create a new field that containes the word callid or void (in case the wod wasn't detected) .
any suggestions will be apperciated.

Badger · March 22, 2019, 1:01pm

How about

    grok {
        match => { "message" => 'callid=(?<callid>[0-9a-fx]{18})' }
    }

WarriorHarb · March 22, 2019, 1:09pm

hi @Badger, thanks for the quick reply.
How would i save it to a new field to visualize its content later ?

Badger · March 22, 2019, 1:10pm

That will save it to a field called "callid".

WarriorHarb · March 22, 2019, 1:20pm

@Badger thanks a lot , you're a life-saver

system · April 19, 2019, 1:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.