QUESTION ABOUT "LOGSTASH GROK MATCH" WITH ARRAY

GGUERRA · April 29, 2019, 3:14am

Hello everyone, I have the following question regarding the logstash filters.

I have logs that have fields that sometimes appear and sometimes do not, for example

"ip" = "1.1.1.1", "mac" = "a1: a1: a1: a1: a1: a1", "bytes" = "100", "radio" = "a / g"
"ip" = "2.2.2.2", "mac" = "a2: a2: a2: a2: a2: a2", "radio" = "B / g"

So in the grok I generate a pattern array something like that

grok {
match => {
"message" => ["" ip \ "= "% {IP: clientIP} \ "",
"" mac \ "= "% {mac} \ "",
"" bytes \ "= "% {NUMBER: bytes} \ "",
"" radio \ "= "% {DATA: radio} \ ""
]
}
}

I would like to ask you if it is necessary that all the elements of this array always appear in the message to work, and if the order of the elements of the array influences, or they capture the occurrence independent of the order in the array.

Christian_Dahlqvist · April 29, 2019, 4:27am

Have you considered using the kv filter instead of grok for this type of data? It should be able to handle aribrary combinations of fields more efficiently than grok.

GGUERRA · April 29, 2019, 12:30pm

Christian, thanks for your answer! The message that comes to me comes with quotes, do you know if this influences the kv filter?

Christian_Dahlqvist · April 29, 2019, 12:35pm

If it causes problems you can always trim then using a mutate gsub filter before processing.

system · May 27, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.