Logstash Filter, is there a better way than mine

cRaZyT · April 7, 2022, 2:14pm

Hi,

I have the following Logstash filter, which works, but I find it anything but good, that should work better, right?

Input:

"The container group started for TEST"

  if "The container group started for" in [message] {
    grok {
      match => { "message" => "%%{WORD:w1}\s+%%{WORD:w2}\s+%%{WORD:w3}\s+%%{WORD:w4}\s+%%{WORD:w5}\s+%%{WORD:check}" }
    }
    mutate { remove_field => [ "w1", "w2", "w3", "w4", "w5" ]
    }
  }

Output:

check: "TEST"

The message always consists of 6 words and I have to add the last word in a "check" field.

I had already tried the following ruby filter, which didn't work:

if "The container group started for" in [message] {
    ruby { code => 'event.set("check",event.get("message").split("\s+")[-1])' }
  }

Does somebody has any idea?

Regards
Thorsten

Badger · April 7, 2022, 4:57pm

If you do not want to keep fields then do not name them.

match => { "message" => "^%{WORD}\s+%{WORD}\s+%{WORD:\s+%{WORD}\s+%{WORD}\s+%{WORD:check}" }

leandrojmp · April 7, 2022, 5:18pm

If the message has always the same format, you can use a dissect filter instead of grok.

if "The container group started for" in [message] {
    dissect {
        mapping => {
            "message" => "The container group started for %{check}"
        }
    }
}

cRaZyT · April 8, 2022, 7:57am

Thank you very much, both solutions work perfect, I like the "disect" solution better as I'm at loggerheads with "grok".

Regards
Thorsten

system · May 6, 2022, 7:58am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.