Logs contains different format of same field name while parsing in logstash

Elastic Stack Logstash
1

Hi,

I am using logstash to parse logs from txt file.I am having field "mstrGateway" and "MstrGateway" in two different logs, how to parse this field in single "mstrGateway" field.
If I make two different fields such as "mstrGateway" and "MstrGateway" then viz will not provide the correct data as both fields are same.

logs-

STAT        : <....> mstrGateWay: ABC
STAT : <......> MstrGateWay ABC

current logstash conf filter-

filter{
 grok {
        break_on_match => false
        match => {
            "message" => [
             "mstrGateWay[:\s]*(?<mstrGateway>[A-Z0-9]+)",
             "MstrGateWay[\s](?<MstrGateWay>[A-Z0-9]+)",
              "STAT[:\s]*(?<STAT>[A-Z]+)"
                ]
            }
         }
}

Thank you !!

2

If you want the field names to be the same, then just make them the same. Change <MstrGateway> to <mstrGateway>

         "mstrGateWay[:\s]*(?<mstrGateway>[A-Z0-9]+)",
         "MstrGateWay[:\s]*(?<mstrGateway>[A-Z0-9]+)"
1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.