How to get grok filter from variable

jfur · February 5, 2018, 6:40pm

I have somewhat of a complex use case where some events have data in their firewall "msg" field that needs to be parsed out (most don't). I have a dictionary file that is parsing out just fine with the kv plugin, but am having a hard time referencing the variable in the grok filter. Can someone tell me what I'm doing wrong to reference this?

if [ec_grok] {
grok {
match => [ "event_content", "[ec_grok]"]
}
}

Note "ec_grok" is the field that has the following "%{DATA} %{IP:source_ip} %{DATA} %{MAC:srcMac}".

If needed, the full logstash config can be seen in my github:
https://github.com/JonFurmanski/logstash/blob/master/examples/sonicwall/logstash.conf

magnusbaeck · February 5, 2018, 9:24pm

Grok expressions with dynamic %{field} references aren't supported.

jfur · February 5, 2018, 10:07pm

Thank you for the clarification. I've gone ahead an opened up a feature request in github

https://github.com/elastic/logstash/issues/9099

system · March 5, 2018, 10:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can I reference a variable set in my GROK statement in an if statement later on in the filter? Logstash	2	615	March 11, 2019
Grok filter on dynamic source field name Logstash	1	389	November 20, 2018
How to access existing field in KV filter plugin? Logstash	2	692	August 6, 2018
List variable reference - is it possible? Logstash	1	312	December 12, 2019
Logstash Filter Use Logstash	5	429	November 27, 2018

How to get grok filter from variable

Related topics