HI,
I have a filter that works except for when the log doesn't contains different data for a field that I am using an extra grok pattern on. I am extracting the username from DN (Distinguished Name) from the main log and it works. The problem is one of the longs comes in wonky and it assigns Session ID to the DN. So for example the below works with my filter.
message":"03-MAR-21 00:48:52|172.24.112.78|5|CN=amacctotsspulse,OU=Test Users,OU=Test,OU=Business Units,DC=Test,DC=corp,DC=Test,DC=ca|1aIek2sJlgoYgP+4oP+Sul32AG0=|Test App
filter
{
grok {
match => { "message" => [ "%{GREEDYDATA:timestamp}\|(%{IPV4:src.ip})?\|%{WORD:event.id}\|(%{GREEDYDATA:dn})?\|(%{NOTSPACE:session_id})?\|(%{GREEDYDATA:application_name})?" ] }
}
grok
{
match => { "dn" => [ "(\w+\=%{NOTSPACE:user.name}\,)?" ] }
remove_field => ["message","host"]
}
date {
match => [ "timestamp", "dd-MMM-yy HH:mm:ss" ]
target => "@timestamp"
}
The issue occurs when the below log appears.
message="03-MAR-21 22:08:23||10|session ID=vqZpWuFj95CepNVGgYfUu5acKng=|vqZpWuFj95CepNVGgYfUu5acKng=|"
I Need to somehow make it so that if the DN grok pattern in the extra grok pattern drops or doesn't try and match when it sees |session ID=" because right now it assigns session ID to the DN field. as per below
"dn": "session ID=vqZpWuFj95CepNVGgYfUu5acKng=",
is there some way to say that if match => { "dn" => [ "(\w+=%{NOTSPACE:user.name},)?" ] } contains "session ID'" drop just the DN for this or ignore this but continue to keep a valid DN? I don't want to drop the entire message, just the DN field
