How to print out %{host.ip} using line codec?

Elastic Stack Logstash
1

I am using the line codec to output the logs into a text file. Requested to include only the IP and log entry itself.

Tried different combination of %{host}.{ip} like this, nothing works so far.

output {
  file {
    path => "/tmp/file_line.txt"
    codec => line { format => "%{host.ip} %{message}" }
  }
}

%{host} works, output like:
2021-04-09T20:47:34.743Z {"name":"hostname","ip":["192.168.0.x"]} log msg
ideal output like:
2021-04-09T20:47:34.743Z 192.168.0.x log msg

Any document on how to format?

Thanks

2

If you change that to

 codec => rubydebug

What does the host.ip field look like?

4 
{
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
       "message" => "log msg #28",
    "@timestamp" => 2021-04-09T22:34:45.247Z,
          "host" => {
        "name" => "hostname",
          "ip" => [
            [0] "192.168.0.x",
            [1] "2607:fea8:3c40:84:20c:29ff:fe97:6fb9",
            [2] "fe80::20c:29ff:fe97:6fb9"
        ]
    },
        "fields" => {
        "tags" => "Tag_nginx_access"
    },
      "@version" => "1"
}
5

To reference the first entry in the array you would use

format => "%{[host][ip][0]} %{message}"
6

My man! Thanks.
One further question regarding the IP. Is there a way to include only IPv4, not IPv6? We are using filebeat as the input. Ideally to have this filter in filebeat.

7

Yes, u can do a script processor and loop through the host.ip field and remove any item that has a :

8

You can use grok to pick out members of the array that are IPV4 addresses

grok { match => { "[host][ip]" => "%{IPV4:[@metadata][ip]}" } }

That will result in an array if there are more than one V4 addresses in the array, to pick out the first you can use

if [@metadata][ip][1] { mutate { replace => { "[@metadata][ip]" => "%{[@metadata][ip][0]}" } } }
9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.