Logstash Filter, is there a better way than mine

Elastic Stack Logstash
1

Hi,

I have the following Logstash filter, which works, but I find it anything but good, that should work better, right?

Input:

"The container group started for TEST"

  if "The container group started for" in [message] {
    grok {
      match => { "message" => "%%{WORD:w1}\s+%%{WORD:w2}\s+%%{WORD:w3}\s+%%{WORD:w4}\s+%%{WORD:w5}\s+%%{WORD:check}" }
    }
    mutate { remove_field => [ "w1", "w2", "w3", "w4", "w5" ]
    }
  }

Output:

check: "TEST"

The message always consists of 6 words and I have to add the last word in a "check" field.

I had already tried the following ruby ​​filter, which didn't work:

if "The container group started for" in [message] {
    ruby { code => 'event.set("check",event.get("message").split("\s+")[-1])' }
  }

Does somebody has any idea?

Regards
Thorsten

2

If you do not want to keep fields then do not name them.

match => { "message" => "^%{WORD}\s+%{WORD}\s+%{WORD:\s+%{WORD}\s+%{WORD}\s+%{WORD:check}" }
3

If the message has always the same format, you can use a dissect filter instead of grok.

if "The container group started for" in [message] {
    dissect {
        mapping => {
            "message" => "The container group started for %{check}"
        }
    }
}
4

Thank you very much, both solutions work perfect, I like the "disect" solution better as I'm at loggerheads with "grok".

Regards
Thorsten

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.