Logstash filter combine

VamPikmin · April 19, 2020, 10:22pm

Is it possible to use match and mutate in the same filter?

Message is in the following format:

<164>%ASA-4-722051: Group <DfltGrpPolicy> User <test_user> IP <test_ip> IPv4 Address <test_ip> IPv6 address <::> assigned to session

filter {
               if [type] == "cisco-asa" and "ASA-4-722051" in [message] {
               grok {
               match => {
               "message" => "<164>%ASA-4-722051: Group <%{USERNAME:Group}> User <%{NOTSPACE:Username}> IP <%{IP:client_ip}> IPv4 Address <%{IP:client_vpn}> IPv6 address <%{IP:client_vpn_IPv6}> assigned to session"
               }}}}

filter {
       if [type] == "cisco-asa" and "ASA-4-722051" in [message] {
       mutate { remove_field => ["client_vpn_IPv6"] }
       }}

Thanks

Badger · April 19, 2020, 11:51pm

A filter {} section can contain pretty much any number and variety of filters. So the answer is yes.

VamPikmin · April 20, 2020, 12:53am

Thanks @Badger

I was trying to use the mutate filter inside grok...

system · May 18, 2020, 12:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.