Logstash - Creating new field by taking first word from an other field

Rios · May 29, 2023, 9:25am

Add one more grok.

filter {
  if "WARNING" in [message] or "CRITICAL" in [message] {
    grok {
      match => {
        "message" => "\[%{HTTPDATE:FECHA}\] %{IP:DIR_IP} %{WORD:SERVIDOR} \"%{GREEDYDATA:MENSAJE}\""
      }
    }
   grok {
        match => {
            "MENSAJE" => [
                "^%{LOGLEVEL:SEVERITY}\:\s*"
            ]
        }
    }

  } else {
    drop {}
  }
}

Result:

{
      "message" => "[27/May/2022:19:04:50 +0200] 192.168.0.1 server1 \"WARNING: Este es un mensaje de aviso\"",
      "SERVIDOR" => "server1",
       "MENSAJE" => "WARNING: Este es un mensaje de aviso",
      "SEVERITY" => "WARNING",
         "FECHA" => "27/May/2022:19:04:50 +0200",
        "DIR_IP" => "192.168.0.1"
}

Topic		Replies	Views
Logstash filtering Logstash	1	165	August 29, 2023
Rename the message field from the original log Logstash	3	1754	June 26, 2020
Removing fields from logstash Logstash	67	3175	October 6, 2023
Message field in logstash pipeline Logstash	3	47	July 22, 2025
On ingest I need to create a new field based on the value of a field in the document Logstash	5	446	July 6, 2017

Logstash - Creating new field by taking first word from an other field

Related topics