Logstash filter with separator " _"

Hello, I am using logstash to collect data from FortiGate. I have one special field to check the number of connections per day. This "vpn" field looks like sz_forti, szec_forti. I need to take the first characters before _ (for example sz_forti -> sz) in order to test them with a pattern and then group them. How can you do this? (in python, you can split by separator and make an array from a string, but since I'm new to elasticsearch this became a problem for me)
Full code of conf.d

input {
 udp {
      port => 5517
      type => "forti_log"
  }
 }

 
filter {
 if [type] == "forti_log" {
  kv {
   source => "message"
     exclude_keys => [ "type", "subtype" ] }
     geoip { source => "dst" }
     geoip { source => "dstip" }
     geoip { source => "src" }
     geoip { source => "srcip" }
 
 mutate {
 
     rename => [ "dst", "dst_ip" ]
     rename => [ "dstip", "dst_ip" ]
     rename => [ "dstport", "dst_port" ]
     rename => [ "devname", "device_id" ]
     rename => [ "status", "action" ]
     rename => [ "src", "src_ip" ]
     rename => [ "srcip", "src_ip" ]
     rename => [ "zone", "src_intf" ]
     rename => [ "srcintf", "src_intf" ]
     rename => [ "srcport", "src_port" ]
     rename => [ "rcvd", "byte_recieved" ]
     rename => [ "rcvdbyte", "bytes_recieved" ]
     rename => [ "sentbyte", "bytes_sent" ]
     rename => [ "sent", "bytes_sent" ]
     convert => ["bytes_recieved", "integer"]
     convert => ["bytes_sent", "integer"]
     remove_field => [ "msg" ]
 }
   if [ filter by delimiter must be here, for example for an input sz_teplov -> sz -> add_field ["Energetic"] [sczv_vedom -> sczv -> add_field ["MGBD"]]]
   }
 }
 
 output {
 if [type] == "forti_log" {
 elasticsearch {
 hosts => "localhost:9200"
 index => "forti-%{+YYYY.MM.dd}"
 }
 }
 }

Hi Vik,

If I understand your question correctly,
I could thought of using GROK to split the field, and then use if else statement to mutate + add_field accordingly

 grok {
    match => [ "vpn", "%{GREEDYDATA:fieldname}\_" ]
  } 

 if "sz" in [fieldname] {
        mutate and add_field 
  }

sczv_vedom

{
  "fieldname": [
    "sczv"
  ]
}

sz_teplov

{
  "fieldname": [
    "sz"
  ]
}

szec_forti

{
  "fieldname": [
    "szec"
  ]
}

Hope this helps you!!

Thank you, can I use grok inside my kv filter?

Sorry, I am not sure about this too :frowning:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.