Overwrite message field issue in grok match

Muhammad_Faisal · December 21, 2020, 8:22pm

i want to overwrite message field , but it only overwrites last match i.e. IP and is not overwriting first match i.e. number

`input {
stdin{}
}

filter {
grok {
match => { "message" => "%{DATA}(?<message>(\d{9,12})|(\d{9,12}))%{GREEDYDATA}%{IPV4:message}%{GREEDYDATA}" }
overwrite => [ "message" ]
}
}

output {
stdout {
codec => "rubydebug"
}
}`

input log
31438214312 Info:node indicated exception at 10.20.30.11

output :
{
"@version" => "1",

"@timestamp" => 2020-12-21T10:08:13.061Z,
   "message" => "10.20.30.11"

}

i want to get
"message" => "31438214312", "10.20.30.11"

Badger · December 21, 2020, 9:17pm

Well you have told it to overwrite the [message] field, so the "10.20.30.11" overwrites the "31438214312" value. You could use

    grok { match => { "message" => "(?<[@metadata][message]>(\d{9,12})|(\d{9,12}))%{GREEDYDATA}%{IPV4:[@metadata][message]}" } }
    mutate { rename => { "[@metadata][message]" => "message" } }

Note that the leading %{DATA} and trailing %{GREEDYDATA} in your pattern do nothing, and you can remove them to simplify the pattern.

Muhammad_Faisal · December 22, 2020, 7:22am

thank you badger...can you explain little bit more ...for example, if i test input string in grok debugger it shows me output as that number and IP are part of message field as array......then ,next i am overwriting message field (which means , stdin.... i.e. "31438214312 Info:node indicated exception at 10.20.30.11" )......so message field shall be overwritten which grok debugger shows .

"message": [
[
"31438214312"
],
[
"10.20.30.11"
]
],

Badger · December 22, 2020, 2:22pm

The grok debugger is not grok and does not always do exactly what a grok filter will do.

system · January 19, 2021, 2:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.