Logstash grok For GREEDYDATA Field

Elastic Stack Logstash
1

Hi Experts,

I have a grok Filter thats working fine but now i have another challenge to split the GREEDYDATA data field by comm(,) that's generally a last field in the GREEDYDATA .

Data after comma will be alike /proj/cvial/WS/BUNGEE/REBASE_190120-138_2/tools.lnx86/dfII/group/bin/src

Below is the complete data log to which i'm applying the grok.

dbproj01,19/02/01,00:04,23-hrs,cvial,cvial 120804 0.0 0.0 106096 1200 pts/90 S Jan30 0:00 /bin/sh -c /bin/rm -f ../../../../../../tools.lnx86/dfII/etc/context/64bit/hBrowser.cxt ../../../../../../
tools.lnx86/dfII/etc/context/64bit/hBrowser.toc ../../../../../../tools.lnx86/dfII/etc/context/64bit/hBrowser.aux ../../../../../../tools.lnx86/dfII/etc/context/64bit/hBrowser.ini ; (CUR_DIR=`pwd` ;
 cd ../../../../obj/linux-x86-64/optimize/bin/virtuoso ; ${CUR_DIR}/../../../../../../tools.lnx86/dfII/bin/virtuoso -ilLoadIL hBrowserBuildContext.il -log hBrowserBuildContext.log -nograph && [ `/bi
n/grep -c Error hBrowserBuildContext.log` = 0 ]) || (echo '*** Error: Failed to build hBrowser context.' ; /bin/rm -f ../../../../../../tools.lnx86/dfII/etc/context/64bit/hBrowser.cxt ../../../../..
/../tools.lnx86/dfII/etc/context/64bit/hBrowser.toc ../../../../../../tools.lnx86/dfII/etc/context/64bit/hBrowser.aux ../../../../../../tools.lnx86/dfII/etc/context/64bit/hBrowser.ini ; exit 1),/proj/cvial/WS/BUNGEE/REBASE_190120-138_2/tools.lnx86/dfII/group/bin/src

My current grok look like below:

match => { "message" => "%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:Hour}:%{MINUTE:Mins},%{NUMBER:duration}-%{WORD:hm},%{USER:User},%{USER:User_1} %{NUMBER:Pid} %{NUMBER:float} %{NUMBER:float} %{NUMBER:Num_1} %{NUMBER:Num_2} %{DATA} (?:%{HOUR:hour2}:|)(?:%{MINUTE:minute2}|) (?:%{HOUR:hour3}:|)(?:%{MINUTE:minute3}|)%{GREEDYDATA:Command}" }

After searching around i found this can be something like below and having another grok filter addition:

    grok {
      match => { "message" => "%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:Hour}:%{MINUTE:Mins},%{NUMBER:duration}-%{WORD:hm},%{USER:User},%{USER:User_1} %{NUMBER:Pid} %{NUMBER:float} %{NUMBER:float} %{NUMBER:Num_1} %{NUMBER:Num_2} %{DATA} (?:%{HOUR:hour2}:|)(?:%{MINUTE:minute2}|) (?:%{HOUR:hour3}:|)(?:%{MINUTE:minute3}|)%{GREEDYDATA:Command}" }
    grok {
      match => { "source" => "/%{GREEDYDATA:CMD}/%{GREEDYDATA:PWD_PATH}" }

In the above the CMD Will be command and PWD_PATH will be from where command is running However, i did not tested this yet.

I'm not Sure if this is correct, i believe there will be another elegant way to achieve this.

2

I cannot see where source is created, so I am not sure what value you have in it. Can you show us? Should CMD and PWD_PATH be reversed?

3

@Badger, thanks for your reply , Yeah i missed that , However, i got this working simply another way around as below:

grok {
 match => { "message" => "%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:dt_h}:%{MINUTE:dt_m},%{NUMBER:duration}-%{WORD:hm},%{USER:User},%{USER:User_1} %{NUMBER:Pid} %{NUMBER:float} %{NUMBER:float} %{NUMBER:Num_1} %{NUMBER:Num_2} %{DATA} (?:%{HOUR:dt_h1}:|)(?:%{MINUTE:dt_m1}|) (?:%{HOUR:dt_h2}:|)(?:%{MINUTE:dt_m2}|)%{GREEDYDATA:CMD},%{GREEDYDATA:PWD_PATH}" }

Simple below:

{GREEDYDATA:CMD},%{GREEDYDATA:PWD_PATH}

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.