I have a scenario where I could have firewalls (all the same vendor) that are of differing OS versions sending data to logstash. The only difference in the messages is the number of fields it sends. It's all comma delimited, but it doesn't send the OS version as one of the fields.
What I thought I could do is parse out the 3rd field as that is the serial number of the firewall sending the message. By having the user just add the serial number to 1 of X number of lists, I could then parse and add a field call os_version and then later dissect/grok based on that because they have different number of fields.
What I want to do is to have lists that the user can edit rather than having the serial numbers in the if statement (mainly to make it more readable)
Here is what I currently have:
filter{
grok {
match => { "message" => "%{?FUTURE_USE},%{rcv_time_control_plane},%{observer.serial_number},%{GREEDYDATA:drop}" }
}
if [observer.serial_number] in [1111111,12121212] {
mutate { add_field => { "os_version" => "1" } }
} else if [observer.serial_number] in [1111113,12121213] {
mutate { add_field => { "os_version" => "1.1" } }
} else if [observer.serial_number] in [1111114,12121214]{
mutate { add_field => { "os_version" => "2" }
} else {
mutate { add_field => { "os_version" => "3" }
}
What I would like is something like this:
```
filter {
VERSION_1 = [1111111,12121212]
VERSION_1.1 = [1111113,12121213]
VERSION_2 = [1111114,12121214]
grok {
match => { "message" => "%{?FUTURE_USE},%{rcv_time_control_plane},%{observer.serial_number},%{GREEDYDATA:drop}" }
}
if [observer.serial_number] in [VERSION_1] {
mutate { add_field => { "os_version" => "1" } }
} else if [observer.serial_number] in [VERSION_1.1] {
mutate { add_field => { "os_version" => "1.1" } }
} else if [observer.serial_number] in [VERSION_2]{
mutate { add_field => { "os_version" => "2" }
} else {
mutate { add_field => { "os_version" => "3" }
}
```
Is something like this possible?