How to find filter for this?

I have following log message.I don't have any idea how I use logstash filter for this message.can some one help me?

Apr 25 05:09:47 %DEVICE-6-UNADOPTED: Device('ap3222-E6D67E'/'ap7622'/74-57-F7-E6-D4-7E) at rf-domain:'ABC-SL' unadopted. Radios: Count=2, Bss: 74-57-F7-DD-E5-20|74-67-F7-DD-E5-42|

Have you tried using the grok constructor web site to craft a grok expression? It's also not clear what the desired result is. Do you want to extract any fields besides the timestamp and the IP address? Do all your messages look like this or are there variations to take into account?

all messages are look like this. I want to extract time field, status(adopted or unadopted), device name, device mac and rf-domain from this message. I tried use to grok. But this message is different than usual messages.

I tried use to grok. But this message is different than usual messages.

Not sure what you mean by this. With some help from the grok constructor site it should be easy to cook a reasonably good expression.

I tried following grok pattern.
%{CISCOTIMESTAMP:ciscotimestamp} %{IP:serverip} %{SYSLOGPROG}: %{GREEDYDATA:message}

but I want to extract this GREEDYDATA field also. how can I do this? Please helpme

The GREEDYDATA expression captures the following:

"Device('ap3222-E6D67E'/'ap7622'/74-57-F7-E6-D4-7E) at rf-domain:'ABC-SL' unadopted. Radios: Count=2, Bss: 74-57-F7-DD-E5-20|74-67-F7-DD-E5-42|"

What specifically do you wish to capture in this?

devicename - ap3222-E6D67E
device - ap7622
devicemac - 74-57-F7-E6-D4-7E
likewise I want to get that data.
I created following pattern.
%{CISCOTIMESTAMP:ciscotimestamp} %{IP:serverip} %{SYSLOGPROG}: \bDevice(?'devicename'[^'][^/])[^'](?'device'[^'][^/])(?'devicemac'[^'][^/][^)])

but it gives ,
|program |%DEVICE-6-UNADOPTED|
|devicemac |/74-57-F7-E6-D4-7E|
|ciscotimestamp |Apr·25·05:09:47|
|devicename |('ap3222-E6D67E'|
|serverip ||
|device |/'ap7622'|

I want to remove /, ', ( from above 3 values (devicename,device and devicemac)

Here is a sample pattern that could be written. This assumes that the pattern remains consistent across the log lines.

Custom Pattern used is as follows:
CPAT ([\w-]+)

Here is the complete expression:
%{CISCOTIMESTAMP:ciscotimestamp} %{IP:serverip} %{SYSLOGPROG}: Device\(\'%{CPAT:devicename}\'\/\'%{CPAT:device}\'\/%{CPAT:devicemac}

I have used the Grok Debugger included with Kibana to write this pattern.

Let me know if this helps!

1 Like

Thank you so much it works

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.