Logstash : Filter column values in a log

Moulika_Magatapalli1 · December 21, 2018, 2:45pm

Hi , I am using Logstash to parse and filter the data. The input data looks something like this:

Nov 28 23:00:31   Phase 0 ended (4 seconds)
                        X Time    X/S    X/SK S/C
                           0.140 [  : 1]   0% TEXT
                           0.270 [  : 1]   0% TEXT
                           0.080 [  : 1]   0% TEXT
--------------------------------------------------------------------------------
               B/W            R/W      S/R               SF            V    P/W
              
               0               0      [: : 0]          7535996       text   text                                       
               0               3      [: : 0]          7535996       text   text 
               1235            2      [: : 0]          7535996       text   text 
			   out             0      [: : 0]          7535996       text   text
               0               0      [: : 0]          7535996       text   text 			 
-----------------------------------------------------------------------------------

I want to access R/W column values. Can anyone help me solving the problem ?

NerdSec · December 24, 2018, 5:56am

What is the data that you need from this? And how are you consuming this?

Moulika_Magatapalli1 · December 24, 2018, 6:11am

In the above sample log, there is a column R/W. I want the sum of R/w column.

NerdSec · December 24, 2018, 10:23am

And how is this data coming? Is it possible to filter out the remaining data from the file?

If you can filter it out, you can use dissect or kv to easily parse the data.

Regards,
Nachiket

Moulika_Magatapalli1 · December 26, 2018, 6:30am

Thank you for the response. It was quite helpful but it couldn't solve my problem. In my case it is unable to detect the pattern. This is how my dissect is :
dissect { mapping => { "message" => "%{B/W} %{R/W} %{S/R} %{SF} %{V} %{P/W}" } }

NerdSec · December 27, 2018, 7:35am

How did you filter out the data that was not needed? Please post the solution if you don't mind, it will probably help others in the future.

From the sample logs, it looks like there are multiple delimiters in your input data. The dissect pattern does not account for multiple consecutive delimiters. Try using the following kind of pattern. More information is available in the docs.

%{BW->} %{RW->} %{SR->} %{SF->} %{V->} %{P/W}

system · January 24, 2019, 7:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.