QUESTION ABOUT "LOGSTASH GROK MATCH" WITH ARRAY

GGUERRA · April 29, 2019, 3:14am

Hello everyone, I have the following question regarding the logstash filters.

I have logs that have fields that sometimes appear and sometimes do not, for example

"ip" = "1.1.1.1", "mac" = "a1: a1: a1: a1: a1: a1", "bytes" = "100", "radio" = "a / g"
"ip" = "2.2.2.2", "mac" = "a2: a2: a2: a2: a2: a2", "radio" = "B / g"

So in the grok I generate a pattern array something like that

grok {
match => {
"message" => ["" ip \ "= "% {IP: clientIP} \ "",
"" mac \ "= "% {mac} \ "",
"" bytes \ "= "% {NUMBER: bytes} \ "",
"" radio \ "= "% {DATA: radio} \ ""
]
}
}

I would like to ask you if it is necessary that all the elements of this array always appear in the message to work, and if the order of the elements of the array influences, or they capture the occurrence independent of the order in the array.

Christian_Dahlqvist · April 29, 2019, 4:27am

Have you considered using the kv filter instead of grok for this type of data? It should be able to handle aribrary combinations of fields more efficiently than grok.

GGUERRA · April 29, 2019, 12:30pm

Christian, thanks for your answer! The message that comes to me comes with quotes, do you know if this influences the kv filter?

Christian_Dahlqvist · April 29, 2019, 12:35pm

If it causes problems you can always trim then using a mutate gsub filter before processing.

system · May 27, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Taking array of matching values for one pattern out of Logstash grok Logstash	4	7376	March 9, 2018
Parsing KV where value is a list Logstash	4	1092	July 12, 2018
Grok Patterns - Quick question Logstash	1	285	January 9, 2019
Eliminating _grokparsefailure Logstash	5	2524	July 6, 2017
Logstash Filter help - Newbie question Logstash	6	315	February 17, 2022

QUESTION ABOUT "LOGSTASH GROK MATCH" WITH ARRAY

Related topics