Parsing ip address coming at random places inside logs

Elastic Stack Logstash
1

hi guys,

input log message contains IP address but the occurence of ip is random inside message and also some times the message will not contain any ip ...how can we extract this ip address using grok or other filters.

example of input log messages :
this is server log 10.20.30.10 error observed
10.20.50.10 exception occurred
no error observed.

i am trying below, not working

grok { match => {"message" => " ((?<wildcard>.*)%{IPV4:IP}(?<wildcard>.*)") | %{IPV4:IP}(?<wildcard>.*) | (?<wildcard>.*)}
}

2

If you just want the IP then you can use

grok { match => { "message" => "%{IPV4:IP}" } }

and grok will find it if it is anywhere in the message.

1 Like
3

hi Badger,

thanks for input.

built in grok will capture ip address once in the log message and remaining ip address will not parse...there are instances where ip address is populating multiple times or less without any particular position such as ...

10.20.30.10 exception 10.20.50.90 error at server 10.30.10.10

is there any grok which can parse all ip addresses occurences coming anywhere in input message at any place

thanks

4

also if input log message does not have ip address , it give me _grokparsefailure

5

In you want to capture every occurrence of a regexp in a field then use a ruby filter and the String.scan function.

    ruby {
        code => 'event.set("anArray", event.get("message").scan(/(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])/))'
    }

Edited to add: The grok pattern for IPV4 is one of the core patterns.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.