Problem with split add field

Elastic Stack Logstash
1

Hello,
I am using logstash 7.6.2
I am trying to parse a CEF log, separated by pipes "|"
I've done:

 mutate {
            copy => { "cefmessage" => "tmp_message" }
                 split => { "tmp_message" =>  "|" }
            add_field => { "cef_device_vendor" => "%{[tmp_message][1]}" }
            add_field => { "cef_device_product" => "%{[tmp_message][3]}" }
            add_field => { "cef_device_version" => "%{[tmp_message][4]}" }
            }

I'v tried either split => {"tmp_message" => "|"} and also the split => ["tmp_message" , "|" ]
syntax, both give no error in the system logs but I dunno if it's working.
I've read on other similar topics I had to use "%{[tmp_message][1]}" instead of "%tmp_message[1]}" .
The problem is that I simple get fields with literally the string : %{[tmp_message][1]}
and NOT the content of [tmp_message][1]

I've tried without double quotes and got an error. With single quotes is the same.
I am going crazy! I am sure the solution is very simple...

2

A mutate filter does things in a fixed order, and copy comes after split, so when split executes the [tmp_message] field does not exist.

Break your mutate into two filters, with copy in the first and split and add_field (which is done last) in the second. I would do it as

mutate {
    copy => { "cefmessage" => "[@metadata][cefmessage]" }
}
mutate {
    split => { "[@metadata][cefmessage]" =>  "|" }
    add_field => {
        "cef_device_vendor" => "%{[@metadata][cefmessage][1]}"
        "cef_device_product" => "%{[@metadata][cefmessage][3]}"
        "cef_device_version" => "%{[@metadata][cefmessage][4]}"
    }
}

Fields under [@metadata] are not indexed.

If you want to parse all of the CEF data then you may be able to do it using the cef codec.

1 Like
3

thanks A LOT.
It was simple, but i'd never get to this solution alone.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.