Need help on Grok Filter?

shankarananth · June 25, 2019, 5:24am

Hai All,

I'm newbie to ELK.
I need to write a grok command to separate below value. Have some challenges in achieving it.

Value = uda:eop:de:solu:400003112342.E_BADF_COE_009_003.DI poc

grok command =%{WORD:line1}:%{WORD:line}:%{WORD:stnd}:%{WORD:identification}:%{BASE10NUM:Assetnumber}.%{WORD:verb}

I have a problem in splitting the following value(E_BADF_COE_009_003.DI poc). When i write a grok command it's taking it as a single value(E_BADF_COE_009_003). Instead of taking it as a single value. I need to split it and store it in separate fields(EG:%{WORD:verb1}%{WORD:verb2}%{WORD:verb3} )
Verb1:E
Verb2:BADF
Verb3:COE
etc
Guide me how to do it ..

Thanks in advance

sjabiulla · June 25, 2019, 6:19am

Hi,

I'm not soo good with GROK filter. You can use the mutate filter after the grok as below to split the verb field.

grok
	{
		match => { "message" => "%{WORD:line1}:%{WORD:line}:%{WORD:stnd}:%{WORD:identification}:%{BASE10NUM:Assetnumber}.%{WORD:verb}"}
	}

	mutate {
 split => { "verb" => "_" }
 add_field => { "verb1" => "%{verb[0]}" }
 add_field => { "verb2" => "%{verb[1]}" }
 add_field => { "verb3" => "%{verb[2]}" }

}

kirangavali · June 25, 2019, 9:28am

Hi @shankarananth

You can use the below "logstash.conf" file for splitting the value.

logstash.conf

input { stdin { } }

filter {
mutate {
split => { "message" => "_" }
}
}

output {
stdout { codec => rubydebug }
}

I executed with above "logstash.conf" and got the below output.
May this will help you.

$ bin/logstash -f /etc/logstash/conf.d/logstash.conf

uda:eop:de:solu:400003112342.E_BADF_COE_009_003.DI poc
{
"host" => "localhost",
"@timestamp" => 2019-06-25T09:21:52.720Z,
"@version" => "1",
"message" => [
[0] "uda:eop:de:solu:400003112342.E",
[1] "BADF",
[2] "COE",
[3] "009",
[4] "003.DI poc"
]
}

Thanks,
Kiran

system · July 23, 2019, 9:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.