Hi,
Trying execbeat is see that data is imported to logstash as exec.command, exec.stdout and exec.exitCode.
I wonder how I can add tags in logstash for further analysis.
In this example I would like to extract the number of lost packets.
Here is an example of data:
{ "_index": "execbeat-2018.07.01", "_type": "doc", "_id": "poFvVWQBovG87emp9BnL", "_version": 1, "_score": null, "_source": { "host": "abc123", "@version": "1", "beat": { "name": "abc123", "version": "3.3.0", "hostname": "abc123" }, "exec": { "exitCode": 0, "stdout": "PING google.com (216.58.209.142) 56(84) bytes of data.\n\n--- google.com ping statistics ---\n1 packets transmitted, 1 received, 0% packet loss, time 0ms\nrtt min/avg/max/mdev = 3.795/3.795/3.795/0.000 ms\n", "command": "ping" }, "tags": [ "beats_input_raw_event", "_grokparsefailure" ], "type": "execbeat", "@timestamp": "2018-07-01T10:42:37.000Z" }, "fields": { "@timestamp": [ "2018-07-01T10:42:37.000Z" ] }, "sort": [ 1530441757000 ] }
First, I tried this:
grok { match => { "exec.stdout" => "(?<packet_loss>\d+)% packet loss" } }
That did not work.
Then I tried mutate filter:
mutate {
copy => { "exec.stdout" => "experiment" }
}
That did not work either. No experiment field is created.
Can you give an advice how to use execbeat output together with logstash?
Thanks Mathias