I have absolutely no idea how to accomplish what I want to accomplish. I have Elasticsearch, Kibana and Logstash configured (all version 5.6.2) and running on Windows 2012 R2. I have my grok filter that parses the data like I want. Its some dates and asa log numbers, all data that is relatively irrelevant. What I need to pull is an IP address in the message portion of my data, but there are several different messages in the logs (no single format) and there are usually 2 IP addresses in each message (a to and a from). I need to pull the from IP address.
Example message:
Teardown dynamic TCP translation from COVERT:00.00.00.00/00000 to outside:00.00.0.000/00000 duration 0:14:01
and I need to pull out the outside IP address, give it its own field so I can use that field in geoip to map it. It always has the word outside followed by a colon then the IP address, no spaces (like above).
The best I could come up with is an if statement saying if the message has outside in it... but then what do I put as the statement to pull the specific outside IP address?
**just had the idea that I could use outside: as a delimiter and use %{IP} right after to store the IP address and store the rest after as GREEDYDATA. Will this work/ what would the syntax for using outside: as the delimiter to read up to before extracting the IP? Can I use the dissect filter? Syntax?