I'm new to the logstash and don't know if what I want to do is even possible. I need to replace some information in logs provided by an application. My example input is: 2017-09-18 10:45:25,404 ERROR some variable text 10.23.42.45 some variable text 10.45.22.111
Task for me is to replace those IP's with other text. At first I tried to use below grok:
grok{
match => {"log" => ["%{DATA}(?<ip>%{IPV4})%{GREEDYDATA}"]}
}
if "_grokparsefailure" not in [tags]{
mutate{
gsub => ["log","%{ip}","SOMEIP"]
}
}
But this way I'm only replacing the first IP and the second one stays unchanged as grok takes first match and moves further, I tried to use %{IPV4} pattern inside mutate but it doesn't work. The main problem is that logs that I have to parse aren't standardized and I have to search for those IP inside a message. Also the occurrence of those IP inside a message varies.
Hi @lueneburger
Thank you for fast response. I was using grok debugger but like I wrote the logs aren't standardized and this was only an example to show what I want to accomplish. And as the occurrence of the IP and the number of times it occurs varies so my Grok Pattern would have to look more like this:
Which I wanted to avoid, and what if there will be 5th IP etc. Best solution would be to use a loop but from what I found out there is no for statement for logstash.
Hi
Yeah I have tried this but the problem is that IP's are different and mutate gsub replace one string with another, and when i tried to use pattern %{IPV4} with mutate it didn't worked.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
