I have somewhat of a complex use case where some events have data in their firewall "msg" field that needs to be parsed out (most don't). I have a dictionary file that is parsing out just fine with the kv plugin, but am having a hard time referencing the variable in the grok filter. Can someone tell me what I'm doing wrong to reference this?
if [ec_grok] {
grok {
match => [ "event_content", "[ec_grok]"]
}
}
Note "ec_grok" is the field that has the following "%{DATA} %{IP:source_ip} %{DATA} %{MAC:srcMac}".
If needed, the full logstash config can be seen in my github:
https://github.com/JonFurmanski/logstash/blob/master/examples/sonicwall/logstash.conf