How to Parse logfile with columns informations

Loudone · August 2, 2018, 7:28am

Dear All,

I'm trying to parse a very specific Log, this log look like this:

pid  user_name  user_authentication  client_host  client_lib_ver
===  =========  ===================  ===========  ==============

510  dmadmin    Password             0111APPT     5.3.0.622 SP6 
378  dmadmin    Password             ADTS71       7.1.0450.0357 
464  dmadmin    Password             ADTS71       7.1.0450.0357 
410  dmadmin    Trusted Client       DCTMLS20     7.3.0030.0023 
307  dmadmin    Trusted Client       DCTMLS20     7.3.0040.0025 
432  Aodren LE  Ticket               0112APPT     7.2.0000.0054 
338  Aodren LE  Ticket               0112APPT     7.2.0000.0054 
688  Aodren LE  Ticket               0112APPT     7.2.0000.0054

My question is: how can I parse in logstash with grok filter this kind of log? and is it possible?

Many thanks for your feed Back

magnusbaeck · August 2, 2018, 7:44am

Of course it's possible, but using a csv or dissect filter might be easier. Are columns always separated by two or more spaces, i.e. how do we know that "Aodren LE" is part of the same column?

Loudone · August 2, 2018, 8:10am

Hello Magnus,

To begin, Thank you for your response.

I'm completly agree with you, if this log will be in csv, it could be an easier way.

Every columns are separated by two spaces, and for the column User_name, the string is include in the length of the multiple string "=" on the top of the log

If it's possible to do that with the dissect filter, how can I do that?

Thank you

Loudone · August 2, 2018, 8:53am

Magnus, do you have an idea.?

magnusbaeck · August 2, 2018, 9:14am

This example from the documentation is pretty close to what you need: https://www.elastic.co/guide/en/logstash/current/plugins-filters-dissect.html#_delimiters_used_as_padding_to_visually_align_fields

Loudone · August 2, 2018, 10:05am

Magnus,

it seems to be interresting!! many thanks for your feed back

Loudone · August 2, 2018, 10:15am

Last question Magnus, do you hnow if Dissect Debugger similar to the grok debugger exit?

it's very helpful for debugging logstash config

magnusbaeck · August 2, 2018, 10:54am

Last question Magnus, do you hnow if Dissect Debugger similar to the grok debugger exit?

I don't believe there's anything like that.

system · August 30, 2018, 10:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.