Partial match in dictionary of translate - Logstash

I hope you can help me, I am trying to add a field based on partial words in a certain field.

I'm trying to add the level of severity of the Cisco logs, some examples of logs are:
BGP_SESSION-5-ADJCHANGE
SECURITY-SSHD-6-INFO_GENERAL
L2-T1E1-4-ALARM

So for example the log type "L2-T1E1-4-ALARM" has a severity of "Warning".

I managed to make it work with the following if conditions:
if [CiscoPROG] =~ "-0-" {
mutate {
add_field => ["[SeverityLevel]", "[0] Emergency"]
}
}
if [CiscoPROG] =~ "-1-" {
mutate {
add_field => ["[SeverityLevel]", "[1] Alerts"]
}
}
if [CiscoPROG] =~ "-2-" {
mutate {
add_field => ["[SeverityLevel]", "[2] Critical"]
}
}
if [CiscoPROG] =~ "-3-" {
mutate {
add_field => ["[SeverityLevel]", "[3] Error"]
}
}
if [CiscoPROG] =~ "-4-" {
mutate {
add_field => ["[SeverityLevel]", "[4] Warning"]
}
}
if [CiscoPROG] =~ "-5-" {
mutate {
add_field => ["[SeverityLevel]", "[5] Notification"]
}
}
if [CiscoPROG] =~ "-6-" {
mutate {
add_field => ["[SeverityLevel]", "[6] Informational"]
}
}
if [CiscoPROG] =~ "-7-" {
mutate {
add_field => ["[SeverityLevel]", "[7] Debugging"]
}
}

But I'm trying to do it by "translate" using a dictionary so I can then catalog other types of Logs.

My translate code is as follows:
translate {
exact => true
field => "CiscoPROG" # Field with the Cisco Logs
destination => "SeverityLevel"
dictionary_path => "/etc/logstash/dictionary/SEVERITY.yaml"
}

In my dictionary tries several formats using "*" or "%" without success.
content of "/etc/logstash/dictionary/SEVERITY.yaml"
'(\w+)-0-(\w+)': "[0] Emergency"
'(\w+)-1-(\w+)': "[1] Alerts"
'(\w+)-2-(\w+)': "[2] Critical"
'(\w+)-3-(\w+)': "[3] Error"
'(\w+)-4-(\w+)': "[4] Warning"
'(\w+)-5-(\w+)': "[5] Notification"
'(\w+)-6-(\w+)': "[6] Informational"
'(\w+)-7-(\w+)': "[7] Debugging"

Hope can help me.

Thanks!

I suspect the most efficient way to do this might be to create a single grok filter that is able to parse out just the severity level into a separate field and then apply a translate filter (with exact match) to this. This should result in a lot less regular expression parsing and better performance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.