How to replace grok pattern with new name

ramindia · September 15, 2018, 4:53pm

below example --

May be i have given wrong subject : but what iam looking example as below :

First example is my netscaler log and second one is switch log

Switch log syslog message ok.
But netscalar log i get as netscaler_message, how can i rename or replace with syslog_message,

since i have many matching i need to only replace netscaler, and remain rest, any assitance will be appricated.

FROM to TO as below

netscaler_message to syslog_message

Sep 14 22:36:13 NET-VPX02 09/14/2018:21:36:13 GMT NET-VPX02 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 718118 0 : SPCBId 385274 - ClientIP 192.168.255.47 - ClientPort 30850 - VserverServiceIP 192.168.255.55 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New - HandshakeTime 2 ms
Sep 14 22:36:11 SWITCH01 9120576: Sep 14 22:36:10.460 BST: %SEC-6-IPACCESSLOGP: list test-in denied tcp 192.168.251.11(65009) -> 10.188.251.254(9100), 5 packets

Grok Pattern

match => [
"message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %{NUMBER} %{SYSLOGTIMESTAMP} %{WORD}: %{GREEDYDATA:syslog_message}",
"message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %{GREEDYDATA:syslog_message}",
"message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %{NUMBER}: %{SYSLOGTIMESTAMP} %{WORD}: %{GREEDYDATA:syslog_message}",
"message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:device_src} %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
]

Structured Data

{
"syslog_hostname": "NET-VPX02",
"syslog_timestamp": "Sep 14 22:36:13",
"netscaler_message": "0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 718118 0 : SPCBId 385274 - ClientIP 192.168.255.47 - ClientPort 30850 - VserverServiceIP 192.168.255.55 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New - HandshakeTime 2",
"device_src": "NET-VPX02"
}

{
"syslog_timestamp": "Sep 14 22:36:11",
"syslog_message": "%SEC-6-IPACCESSLOGP: list test-in denied tcp 192.168.251.11(65009) -> 10.188.251.254(9100), 5 packets",
"device_src": "SWITCH01"
}

ramindia · September 15, 2018, 7:09pm

not sure is this correct way to do it, But i can see the results it was renamed as expected.

rename is good or replace ?

mutate {
rename => { "netscaler_message" => "syslog_message" }
}

Christian_Dahlqvist · September 15, 2018, 7:25pm

Why do you not simply change the name of the captured field in the last grok expression?

ramindia · September 15, 2018, 8:05pm

is this one you mean ?

if i change that one, i get different data output.

ramindia · September 15, 2018, 8:09pm

You right, it works, may be i got different output before i guess..
thanks for the input.

system · October 13, 2018, 8:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.