I have Logstash Kibana and Elasticsearch versions 5.6.2 installed on Windows 2012 R2. I have a grok pattern that reads in text file entries adequately. The end of each entry is a message field containing a couple different formats; sometimes an IP adress, sometimes 2 IP addresses and different messages attached. What I need is to pull only the entries that have an outside IP address and I need to pull that IP address and put it in a field and use it as the source for geoIP. I was thinking of using the dissect filter in an if statement to weed out the entries that do not have an outside IP address. I don't know if I can/how to use the dissect filter on literal message text (unstructured) to pull just one IP address (sometimes there are 2 IP addresses).
Some example messages (parsed in to a greedydata field using a grok filter):
UDP request discarded from 00.00.000.00/000 to outside:000.0.0.0/00
Built dynamic UDP translation from COVERT:00.00.00.00/0000 to outside:00.00.0.000/00000
Teardown UDP connection 560221 for outside:00.000.0.0/00 to COVERT:00.00.00.00/00000 duration 0:00:00 bytes 200
Built local-host outside:00.000.00.00
Thanks in advance!