Parsing a Concatenated Field to Extract Sub-Fields

fmaginga · June 21, 2021, 10:31am

Hello,

I am trying to write a logstash filter to extract individual sub-fields from on concatenated field.

Example:

I have a field CGI = 640070003110080

CGI = 640070003110080

I want to split the CGI field in to four other fields as follows;

MCC = 640
MNC = 07
LAC = 00031
CellID = 10080

CGI is always 15 digits long, 1st to 3rd digits are MCC, 4th to 5th digits are MNC, 6th to 10th digits are LAC and 11th to 15th digits are CellID

Which filter plugin can I use? I tried to search I could not find any so far.

Best Regards,
Frank

Cad · June 21, 2021, 11:05am

Hi,

You can use grok like this on the CGI field

(?<MCC>[0-9]{3})(?<MNC>[0-9]{2})(?<LAC>[0-9]{5})(?<CellID>[0-9]{5})

<MCC> specify what is the name of the new field. The name is followed by a pattern [0-9]{3}.
[0-9] specify what i search. Here i search digit between 0 and 9 include.
{3} specify the number of digit i want to find. Here 3.

For each new field, i copy past the first configuration and change the name of the field and the number of digit i search.

The final grok filter looks like this:

grok {
  match => { "CGI" => "(?<MCC>[0-9]{3})(?<MNC>[0-9]{2})(?<LAC>[0-9]{5})(?<CellID>[0-9]{5})" }
}

Cad.

fmaginga · June 21, 2021, 11:29am

Thanks @Cad, it worked!

system · July 19, 2021, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.