Ignore a specific or drop a field when using another Grok Pattern

HI,
I have a filter that works except for when the log doesn't contains different data for a field that I am using an extra grok pattern on. I am extracting the username from DN (Distinguished Name) from the main log and it works. The problem is one of the longs comes in wonky and it assigns Session ID to the DN. So for example the below works with my filter.

message":"03-MAR-21 00:48:52|172.24.112.78|5|CN=amacctotsspulse,OU=Test Users,OU=Test,OU=Business Units,DC=Test,DC=corp,DC=Test,DC=ca|1aIek2sJlgoYgP+4oP+Sul32AG0=|Test App

filter
{
grok   {
         match => { "message" => [ "%{GREEDYDATA:timestamp}\|(%{IPV4:src.ip})?\|%{WORD:event.id}\|(%{GREEDYDATA:dn})?\|(%{NOTSPACE:session_id})?\|(%{GREEDYDATA:application_name})?" ] }

         }
         
grok
       {
        match => { "dn" => [ "(\w+\=%{NOTSPACE:user.name}\,)?" ] }
       remove_field => ["message","host"]
       }

date {
        match => [ "timestamp", "dd-MMM-yy HH:mm:ss" ]
        target => "@timestamp"
      }

The issue occurs when the below log appears.
message="03-MAR-21 22:08:23||10|session ID=vqZpWuFj95CepNVGgYfUu5acKng=|vqZpWuFj95CepNVGgYfUu5acKng=|"

I Need to somehow make it so that if the DN grok pattern in the extra grok pattern drops or doesn't try and match when it sees |session ID=" because right now it assigns session ID to the DN field. as per below

"dn": "session ID=vqZpWuFj95CepNVGgYfUu5acKng=",

is there some way to say that if match => { "dn" => [ "(\w+=%{NOTSPACE:user.name},)?" ] } contains "session ID'" drop just the DN for this or ignore this but continue to keep a valid DN? I don't want to drop the entire message, just the DN field

so basically I want to remove this but only when "session ID=" shows up, keep it for valid DN
Screenshot 2021-04-18 220700

How about

if [dn] =~ /^session ID=/ { mutate { remove_field => [ "dn" ] } }

Works!! Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.