(probably) dumb grok question

an example of my data:

        {"protocol": 6, "recordType": 71, "eventType": 1003, "securityGroupId": 0, "userId": 9999997, "policyRevision": "00000000-0000-0000-0000-00005e5f4ab1", "iocNumber": 0, "userAgent": {"blockLength": 44, "blockType": 0, "data": "CaptiveNetworkSupport-390.0.3 wispr"}, "initiatorIpAddress": "192.168.10.22", "eventSubtype": 1, "securityContext": "00000000000000000000000000000000", "ruleAction": 2, "responderCountry": 840, "@computed": {"ingressSecurityZone": "ISOLATE-ZONE", "sourceIpCountry": "unknown", "eventDescription": "Flow Statistics", "firewallRuleReason": "N/A", "firewallPolicy": "Default Access Control", "destinationIpCountry": "united states", "monitorRule4": "N/A", "monitorRule5": "N/A", "monitorRule6": "N/A", "monitorRule7": "N/A", "monitorRule1": "N/A", "monitorRule2": "N/A", "monitorRule3": "N/A", "recordTypeCategory": "RNA", "ingressInterface": "ISOLATE", "recordTypeDescription": "Connection Statistics", "eventDateTime": "2020-03-04T08:00:00", "egressSecurityZone": "OUTSIDE-ZONE", "sslServerCertificateStatus": "Not Checked", "webApplication": "Apple sites", "clientApplication": "Web browser", "sslCipherSuite": "TLS_NULL_WITH_NULL_NULL", "securityIntelligenceEvent": "No", "firewallRule": "Guest-allow", "applicationProtocol": "HTTP", "sslFlowStatus": "Unknown", "firewallRuleAction": "Allow", "user": "No Authentication Required", "sslActualAction": "Unknown", "sslVersion": "Unknown", "egressInterface": "INTERNET", "transportProtocol": "TCP", "eventSecond": 1583326800, "sensor": "1A-FP-1", "securityIntelligenceIp": "N/A", "sslExpectedAction": "Unknown", "urlCategory": "Business and Economy", "urlReputation": "Benign sites"}, "webApplicationId": 1185, "archiveTimestamp": 1583326800, "legacyIpAddress": "0.0.0.0", "firstPacketTimestamp": 1583326799, "egressZone": "94d0f412-b8ce-11e7-b61e-81292bc15eb1", "sslFlowError": 0, "eventSecond": 0, "blockType": 160, "sslTicketId": "0000000000000000000000000000000000000000", "macAddress": "00:00:00:00:00:00", "tcpFlag": 0, "sslFlowMessages": 0, "responderPort": 80, "blockLength": 669, "sourceMask": 0, "dnsRecordType": 0, "securityIntelligenceSourceDestination": 0, "monitorRule7": 0, "initiatorCountry": 0, "referencedHost": {"blockLength": 26, "blockType": 0, "data": "captive.apple.com"}, "sslTicketIdLength": 0, "lastPacketTimestamp": 1583326799, "initiatorTransmittedPackets": 7, "sslFlowStatus": 0, "deviceId": 2, "clientApplicationId": 2000000676, "netbios": {"blockLength": 8, "blockType": 0, "data": ""}, "destinationAutonomousSystem": 0, "sslActualAction": 0, "checksum": 0, "initiatorTransmittedBytes": 762, "ingressZone": "058dada2-c2f4-11e6-b347-cfcb2a24d095", "clientApplicationVersion": {"blockLength": 8, "blockType": 0, "data": ""}, "sourceAutonomousSystem": 0, "urlReputation": 2, "networkAnalysisPolicyRevision": "f4628f61-e9ec-0b6f-1822-12c0f66309fd", "securityIntelligenceLayer": 0, "monitorRule8": 0, "dnsTtl": 0, "monitorRule4": 0, "monitorRule5": 0, "monitorRule6": 0, "netflowSource": "00000000-0000-0000-0000-000000000000", "applicationId": 676, "monitorRule1": 0, "monitorRule2": 0, "monitorRule3": 0, "sslFlowFlags": 0, "connectionCounter": 59883, "destinationMask": 0, "sslCertificateFingerprint": "0000000000000000000000000000000000000000", "sslServerCertificateStatus": 0, "intrusionEventCount": 0, "snmpOut": 0, "ruleId": 268442627, "initiatorPort": 63622, "sourceTos": 0, "destinationTos": 0, "egressInterface": "335aeba6-d544-11e7-9cbf-aca18ca182a4", "recordLength": 725, "sslSessionIdLength": 0, "sslSessionId": "0000000000000000000000000000000000000000000000000000000000000000", "sslServerName": {"blockLength": 8, "blockType": 0, "data": ""}, "urlCategory": 4, "endpointProfileId": 0, "responderIpAddress": "17.253.21.203", "instanceId": 3, "httpReferrer": {"blockLength": 8, "blockType": 0, "data": ""}, "sslCipherSuite": 0, "sslUrlCategory": 0, "ingressInterface": "05e1bf54-51fc-11e7-892c-27b1aeff5cee", "responderTransmittedPackets": 6, "snmpIn": 0, "eventMicrosecond": 0, "locationIpv6": "::", "sslRuleId": 0, "sslPolicyId": "00000000000000000000000000000000", "securityIntelligenceList1": 0, "securityIntelligenceList2": 0, "vlanId": 0, "responderTransmittedBytes": 1136, "hasIpv6": 1, "clientUrl": {"blockLength": 53, "blockType": 0, "data": "http://captive.apple.com/hotspot-detect.html"}, "dnsResponseType": 0, "sslVersion": 0, "ipv6Address": "0:3eb:0:1:a1a2:5f5e:8b56:ee00", "fileEventCount": 0, "sslExpectedAction": 0, "ruleReason": 0, "httpResponse": 0, "dnsQuery": {"blockLength": 8, "blockType": 0, "data": ""}, "sinkholeUuid": "00000000-0000-0000-0000-000000000000"}
    {"@computed": {"recordTypeCategory": "FIREWALL RULE", "recordTypeDescription": "Access Control Rule ID Metadata"}, "recordType": 119, "blockLength": 61, "checksum": 0, "recordLength": 61, "name": {"blockLength": 33, "blockType": 0, "data": "Inside-Out-Window7-block"}, "archiveTimestamp": 0, "blockType": 15, "id": 268486656, "uuid": "00000000-0000-0000-0000-00005e5f4ab1"}
    {"@computed": {"recordTypeCategory": "FIREWALL RULE ACTION", "recordTypeDescription": "Access Control Rule Action Metadata"}, "recordType": 120, "checksum": 0, "recordLength": 13, "archiveTimestamp": 0, "length": 5, "id": 4, "name": "Block"}
    {"protocol": 710, "recordType": 98, "blockLength": 32, "checksum": 0, "recordLength": 32, "archiveTimestamp": 0, "@computed": {"recordTypeCategory": "RUA USER", "recordTypeDescription": "User"}, "blockType": 57, "id": 8239, "name": {"blockLength": 16, "blockType": 0, "data": "auto-di"}}
    {

I'm trying to extract the IP address from "initiatorIpAddress": "192.168.10.22", and store it in a field, say, initIP, so I can GeoIP it. I'm still a bit new to working with logstash, and I'm just not seeing how I should be doing this. TIA

You could use

grok { match => { "message" => '"initiatorIpAddress": "%{IPV4:initiatorIpAddress" } }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.