Match part of a log

mr_rob · February 18, 2016, 9:46am

I've seen how to match certain logs, and match every line. But i want to do something a little different (if possible??)

I want to parse a log (that has many different line formats, looking for a particular keyword and then forward the variable pairs from this line to elastic, dropping all the other lines.

the line (and only line) will contain
Feb 18 11:51:36 07[IKE] <ikev1 22400> assigning virtual IP xx.xx.xx.xx to peer 'yyyyyyyy'
i want this, i want parts date, ip and peer

not all lines in the log (charon) will be like this

is this possible?

magnusbaeck · February 18, 2016, 9:49am

Use conditionals to select for which messages the drop filter should be used. To extract certain parts of the message to separate fields use the grok filter as usual.

mr_rob · February 18, 2016, 10:22am

thanks,
as i see it the only way is to create match patterns for the drop?
and then grok the one i want?

was hoping i could work a way of grok one thing i want, and drop anything else..

magnusbaeck · February 18, 2016, 10:36am

Well, you could do

grok {
  match => ...
}
if "_grokparsefailure" in [tags] {
  drop { }
}

to drop all events that don't match the grok expression.

Topic		Replies	Views
Drop some line when match in logstash Logstash	2	6510	April 25, 2017
Beginner question grok + pattern matching + different line format Logstash	2	1234	June 14, 2017
Drop all grok matches Logstash	10	4038	September 14, 2017
Quick Question on Grok and filtering Logstash	3	260	May 21, 2018
Drop event Logstash	8	6647	May 9, 2018

Match part of a log

Related topics