Parsing and applying regex in kibana


(Sara Thomas) #1

Hi,

I want to extract details from the message field of linux data in kibana and not using the filter plugin of logstash. How can we do this?


(Jim Unger) #2

What are you trying to accomplish? What do you mean that you want to extract details from the message field? If you want to do any kind of advanced, real time aggregations/filtering/searching on the complex data in the message field, then it sounds this those values need to be enriched at index time into Elasticsearch.

If you just want to use regex patterns to search for documents in your index, kibana supports using Regexp queries in the search bar.

https://www.elastic.co/guide/en/beats/packetbeat/current/_kibana_queries_and_filters.html#_regexp_queries


(Sara Thomas) #3

Hey Jim,

I want to do advance search on the indexed data using some regex without applying only some or rather no filters in the logstash. Like in splunk search-head we can apply regex and do field extraction on the indexed data. Is the same possible in Kibana?


(Jim Unger) #4

As of today, you can not do that in kibana, and need to enrich your data at index time. When 5.0 releases, you can do some search-time field extraction via Kibana scripted fields with Painless, but expect it to be slow.

examples here

Because this will be slow at search-time, we recommend that once you’ve experimented with it to find your common use cases, use the reindex API to then persist these fields to your documents, and modify your index process for future documents.


(Sara Thomas) #5

Hi Jim,

I am trying out applying regex on the message field in the Kibana 5.0 (beta version).

Can you give me some examples for this?

Like if I try to explain further:

message:<189>Sep 13 14:35:31 ::ffff:x.x.x.x Sep 13 14:35:07 sshd[4439]: Failed password for user username from x.x.x.x port xx ssh2

Now, I want to apply a parser(regex)

(?i)(?<st_i>Accepted|Failed)[\s]+(?<auth_typ>password|publickey)[\s]+for[\s]+(?[\S]+)[\s]+from[\s]+(?<client_ip>[\d]{1,3}.[\d]{1,3}.[\d]{1,3}.[\d]{1,3})[\s]+port[\s]+(?[\d]{1,5})

on this at the kibana search tab and extract IP,username,port,etc.

Is this feature enabled in Kibana 5.0 beta or is there something else similar to this possible?


(system) #6