Match part of a log

mr_rob · February 18, 2016, 9:48am

I've seen how to match certain logs, and match every line. But i want to do something a little different (if possible??)

I want to parse a log (that has many different line formats, looking for a particular keyword and then forward the variable pairs from this line to elastic, dropping all the other lines.

the line (and only line) will contain
Feb 18 11:51:36 07[IKE] <ikev1 22400> assigning virtual IP xx.xx.xx.xx to peer 'yyyyyyyy'
i want this, i want parts date, ip and peer

not all lines in the log (charon) will be like this

is this possible?

magnusbaeck · February 18, 2016, 9:49am

Use conditionals to select for which messages the drop filter should be used. To extract certain parts of the message to separate fields use the grok filter as usual.

mr_rob · February 18, 2016, 10:22am

thanks,
as i see it the only way is to create match patterns for the drop?
and then grok the one i want?

was hoping i could work a way of grok one thing i want, and drop anything else..

magnusbaeck · February 18, 2016, 10:36am

Well, you could do

grok {
  match => ...
}
if "_grokparsefailure" in [tags] {
  drop { }
}

to drop all events that don't match the grok expression.

system · July 6, 2017, 5:10am