I have log lines like the following:
src=192.168.100.1:502 rest of message
src=[::1]:304 message details
The format is <ip address>:<port>. I could use dissect easily except for the case shown in the second line. This could be solved if I could specify the direction of matching in dissect.
I could extract the entire string after src= till the next space into a field and then split by : from the right instead of doing it from the left. Is such a thing possible in Logstash currently?
Right, use dissect to grab everything between the = and the space, then grok it
dissect { mapping => { "message" => "src=%{ipAndPort} %{restOfLine}" } }
grok { match => { "ipAndPort" => "%{DATA:ip}:%{NUMBER:port}$" } }Thanks for the clarification @Badger. Would it help to have a direction specification in dissect? I think it can serve as a minor optimization.
Not sure. The reason dissect is so fast is that has very limited functionality. Complicating the parsing might not be worth it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.