Ingest Pipeline Creating Grok Pattern with string as dependency

pupit · February 11, 2024, 1:02pm

Hi,

I am exploring ingest pipeline. The grok is working as expected.
But, I am looking into just executing/running the grok pattern if the field have a certain string. How can I add a if condition where "if message =~ ssh2" then run grok pattern, if not, do not extract.

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "..",
    "processors": [
      {
        "grok": {
        "field": "message",
        "patterns": ["%{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:secure_server_name} %{WORD:secure_service}\\[%{NUMBER:secure_process_id}\\]: %{DATA:secure_outcome} for (invalid user %{DATA:secure_user}|%{DATA:secure_user}) from %{IP:secure_ip} port %{NUMBER:secure_port} %{DATA}$"]
        }
      }
    ]
  },
  "docs": [
    {
      "_source":{
        "message":"Feb 11 18:59:20 _TEST-ELK sshd[1205325]: Accepted password for test-user from 192.168.1.10 port 60912 ssh2"
      }
    }]
}

stephenb · February 11, 2024, 10:57pm

Example right here

There is also endsWith if that is what you want

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "..",
    "processors": [
      {
        "grok": {
          "if": "ctx.message != null && ctx.message.contains('ssh2')", 
          "field": "message",
          "patterns": [
            """%{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:secure_server_name} %{WORD:secure_service}\[%{NUMBER:secure_process_id}\]: %{DATA:secure_outcome} for (invalid user %{DATA:secure_user}|%{DATA:secure_user}) from %{IP:secure_ip} port %{NUMBER:secure_port} %{DATA}$"""
          ]
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "message": "Feb 11 18:59:20 _TEST-ELK sshd[1205325]: Accepted password for test-user from 192.168.1.10 port 60912 ssh2"
      }
    },
    {
      "_source": {
        "message": "Feb 11 18:59:20 _TEST-ELK sshd[1205325]: Accepted password for test-user from 192.168.1.10 port 60912 ssh1"
      }
    }
  ]
}

# Results
{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "secure_outcome": "Accepted password",
          "secure_user": "test-user",
          "secure_ip": "192.168.1.10",
          "syslog_timestamp": "Feb 11 18:59:20",
          "secure_process_id": "1205325",
          "secure_server_name": "_TEST-ELK",
          "message": "Feb 11 18:59:20 _TEST-ELK sshd[1205325]: Accepted password for test-user from 192.168.1.10 port 60912 ssh2",
          "secure_port": "60912",
          "secure_service": "sshd"
        },
        "_ingest": {
          "timestamp": "2024-02-11T22:55:38.633068406Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "message": "Feb 11 18:59:20 _TEST-ELK sshd[1205325]: Accepted password for test-user from 192.168.1.10 port 60912 ssh1"
        },
        "_ingest": {
          "timestamp": "2024-02-11T22:55:38.633107918Z"
        }
      }
    }
  ]
}

system · March 10, 2024, 10:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.