Quick Question on Grok and filtering

F_Terrie · April 23, 2018, 4:38pm

Basically I'm wondering if the below is sound enough to work and if it is efficient to what I need,

The three logs I'm currently running through Logstash doesn't have a unique type and only has a unique host value. I wan't to start using Grok to create unique fields however I'm not sure whats the best way to approach parsing one of the three logs using the simple Grok expression below. Is it possible to use a condition based on the hosts IP? I'll need to create a unique Grok expression for each of the three, however I want to start with one at the moment to get more familiar with Grok. Is this do able?

Any help would be greatly appreciated

  filter {
      if "KeyWord" in [message] {
    	grok {
            match => { "message" => "%{IP:ip} <9>1 %{TIMESTAMP_ISO8601:timezone} %{WORD:id} %{WORD:log_type} - -%{GREEDYDATA:message}"}
            	}
    	}
    }

Badger · April 23, 2018, 6:44pm

in tests for membership in an array. If you want to test whether the message field contains that word then

if [message] =~ /\bKeyWord\b/

magnusbaeck · April 23, 2018, 8:42pm

in tests for membership in an array.

It can also be used for substring matching.

system · May 21, 2018, 8:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.