Parsing a Concatenated Field to Extract Sub-Fields

fmaginga · June 21, 2021, 10:31am

Hello,

I am trying to write a logstash filter to extract individual sub-fields from on concatenated field.

Example:

I have a field CGI = 640070003110080

CGI = 640070003110080

I want to split the CGI field in to four other fields as follows;

MCC = 640
MNC = 07
LAC = 00031
CellID = 10080

CGI is always 15 digits long, 1st to 3rd digits are MCC, 4th to 5th digits are MNC, 6th to 10th digits are LAC and 11th to 15th digits are CellID

Which filter plugin can I use? I tried to search I could not find any so far.

Best Regards,
Frank

Cad · June 21, 2021, 11:05am

Hi,

You can use grok like this on the CGI field

(?<MCC>[0-9]{3})(?<MNC>[0-9]{2})(?<LAC>[0-9]{5})(?<CellID>[0-9]{5})

<MCC> specify what is the name of the new field. The name is followed by a pattern [0-9]{3}.
[0-9] specify what i search. Here i search digit between 0 and 9 include.
{3} specify the number of digit i want to find. Here 3.

For each new field, i copy past the first configuration and change the name of the field and the number of digit i search.

The final grok filter looks like this:

grok {
  match => { "CGI" => "(?<MCC>[0-9]{3})(?<MNC>[0-9]{2})(?<LAC>[0-9]{5})(?<CellID>[0-9]{5})" }
}

Cad.

fmaginga · June 21, 2021, 11:29am

Thanks @Cad, it worked!

system · July 19, 2021, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Creating a sub field of GROK filter pattern Logstash	5	1041	August 26, 2020
Logstash extract first 3 chars of a field into another field Logstash	3	664	July 6, 2017
Picking substring from field in logstash Logstash	2	2911	September 20, 2017
Logstash filter to create a subfield based on specific text in a log message Logstash	2	170	December 24, 2023
Logstash Filter to parse a string Logstash	5	904	August 27, 2019

Parsing a Concatenated Field to Extract Sub-Fields

Related topics