Discuss the Elastic Stack

Logstash sendmail grok procesing multiple field value

Elastic Stack Logstash

Emilio_Ampudia_Marti (Emilio Ampudia Martin) May 24, 2016, 3:09pm 1

I have this sendmail log line:

May 24 16:17:28 mailserver sendmail[11337]: u4OEHO27011330: to=XXX@ific.uv.es,YYY@ific.uv.es,AAA@ific.uv.es,POPP.AD@ific.uv.es, delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=238177, relay=ifmx.ific.uv.es., dsn=2.0.0, stat=Sent (Ok: queued as 1C201A03AB)

I don't know who to process the "to" multiple field.

Something like that:

TOFIELD to=(<%{EMAIL:to}>,)+

I only get the last value, I would like to get them all.

Thanks

Emilio

magnusbaeck (Magnus Bäck) May 24, 2016, 3:13pm 2

I suggest you capture them all into a single field and use the mutate filter's split option to split that field into an array. I also think you should consider using a kv filter instead of grok for the key/value pairs in the log message.

1 Like

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.