Parsing KV where value is a list

thegrockq · June 6, 2018, 2:47pm

I have a log I can mostly parse w/ the KV filter. I have a few fields that aren't parsing correctly though as the values are a list instead of a single value. For example:

..., rand_key: rand_value, IP Address: (192.168.1.1, 192.168.1.2, 192.168.1.3), rand_key2: rand_val2, ...

I'd like to be able to preserve the IP addresses as an IP data type, not a string. Currently I get an error in logs saying IP Address is not an IP string literal and it appears the message is not indexed.

Ideally, this would parse into duplicate keys (e.g. IP_Addr), in the same document, each with a different value, but I don't know that this is possible. I can grok this out into IP_Addr1, IP_Addr2, IPAddr3, and drop empty fields, but I'm hoping there's a cleaner, simpler option using the KV filter.

Anyone have any suggestions?

Badger · June 6, 2018, 3:26pm

A field can be an array of ip_addr.

AA1

To convert '(192.168.1.1, 192.168.1.2, 192.168.1.3)' to an array I would use

mutate { gsub => [ "message", " ", "", "message", "[()]", "" ] }
mutate { split => { "message" => "," } }
mutate { rename => { "message" => "ip_addr" } }

Since there are commas inside the parentheses a kv filter is not going to work as is. I would grok everything between 'IP Address: (' and ')' to give you something the above would process. Then gsub it away leaving you something kv will handle.

thegrockq · June 6, 2018, 3:47pm

This is great - thank you. I didn't know about the gsub mutate setting. I'll try this this afternoon.

thegrockq · June 14, 2018, 9:33pm

Sorry for the delayed response - I've been out of town. This is working perfectly as of today. Thanks again!

system · July 12, 2018, 9:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.