Hai All,
I'm newbie to ELK.
I need to write a grok command to separate below value. Have some challenges in achieving it.
Value = uda:eop:de:solu:400003112342.E_BADF_COE_009_003.DI poc
grok command =%{WORD:line1}:%{WORD:line}:%{WORD:stnd}:%{WORD:identification}:%{BASE10NUM:Assetnumber}.%{WORD:verb}
I have a problem in splitting the following value(E_BADF_COE_009_003.DI poc). When i write a grok command it's taking it as a single value(E_BADF_COE_009_003). Instead of taking it as a single value. I need to split it and store it in separate fields(EG:%{WORD:verb1}%{WORD:verb2}%{WORD:verb3} )
Verb1:E
Verb2:BADF
Verb3:COE
etc
Guide me how to do it ..
Thanks in advance 
Hi,
I'm not soo good with GROK filter. You can use the mutate filter after the grok as below to split the verb field.
grok
{
match => { "message" => "%{WORD:line1}:%{WORD:line}:%{WORD:stnd}:%{WORD:identification}:%{BASE10NUM:Assetnumber}.%{WORD:verb}"}
}
mutate {
split => { "verb" => "_" }
add_field => { "verb1" => "%{verb[0]}" }
add_field => { "verb2" => "%{verb[1]}" }
add_field => { "verb3" => "%{verb[2]}" }
}
Hi @shankarananth
You can use the below "logstash.conf" file for splitting the value.
logstash.conf
input { stdin { } }
filter {
mutate {
split => { "message" => "_" }
}
}
output {
stdout { codec => rubydebug }
}
I executed with above "logstash.conf" and got the below output.
May this will help you.
$ bin/logstash -f /etc/logstash/conf.d/logstash.conf
uda:eop:de:solu:400003112342.E_BADF_COE_009_003.DI poc
{
"host" => "localhost",
"@timestamp" => 2019-06-25T09:21:52.720Z,
"@version" => "1",
"message" => [
[0] "uda:eop:de:solu:400003112342.E",
[1] "BADF",
[2] "COE",
[3] "009",
[4] "003.DI poc"
]
}
Thanks,
Kiran