Discuss the Elastic Stack

Logstash sendmail grok procesing multiple field value

Elastic Stack Logstash

Emilio_Ampudia_Marti (Emilio Ampudia Martin) May 24, 2016, 3:09pm 1

I have this sendmail log line:

May 24 16:17:28 mailserver sendmail[11337]: u4OEHO27011330: to=XXX@ific.uv.es,YYY@ific.uv.es,AAA@ific.uv.es,POPP.AD@ific.uv.es, delay=00:00:04, xdelay=00:00:03, mailer=esmtp, pri=238177, relay=ifmx.ific.uv.es., dsn=2.0.0, stat=Sent (Ok: queued as 1C201A03AB)

I don't know who to process the "to" multiple field.

Something like that:

TOFIELD to=(<%{EMAIL:to}>,)+

I only get the last value, I would like to get them all.

Thanks

Emilio

magnusbaeck (Magnus Bäck) May 24, 2016, 3:13pm 2

I suggest you capture them all into a single field and use the mutate filter's split option to split that field into an array. I also think you should consider using a kv filter instead of grok for the key/value pairs in the log message.

1 Like

Topic		Replies	Views	Activity
Grok pattern to parse to multiple values Logstash	6	1605	February 26, 2021
Split field into multiple fields Logstash	4	1160	October 15, 2021
Fields in messages Logstash	4	1522	February 23, 2018
Help splitting field into two Logstash	5	475	May 23, 2019
Further split logstash output for a particular field Logstash	2	547	June 15, 2017

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.