Quick Question on Grok and filtering

F_Terrie · April 23, 2018, 4:38pm

Basically I'm wondering if the below is sound enough to work and if it is efficient to what I need,

The three logs I'm currently running through Logstash doesn't have a unique type and only has a unique host value. I wan't to start using Grok to create unique fields however I'm not sure whats the best way to approach parsing one of the three logs using the simple Grok expression below. Is it possible to use a condition based on the hosts IP? I'll need to create a unique Grok expression for each of the three, however I want to start with one at the moment to get more familiar with Grok. Is this do able?

Any help would be greatly appreciated

  filter {
      if "KeyWord" in [message] {
    	grok {
            match => { "message" => "%{IP:ip} <9>1 %{TIMESTAMP_ISO8601:timezone} %{WORD:id} %{WORD:log_type} - -%{GREEDYDATA:message}"}
            	}
    	}
    }

Badger · April 23, 2018, 6:44pm

in tests for membership in an array. If you want to test whether the message field contains that word then

if [message] =~ /\bKeyWord\b/

magnusbaeck · April 23, 2018, 8:42pm

in tests for membership in an array.

It can also be used for substring matching.

system · May 21, 2018, 8:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter fields in if conditions Logstash	5	19289	August 25, 2020
Help with filtering message based on regex Logstash	3	462	April 8, 2021
Writing grok filter for my usecase Logstash	5	493	September 6, 2017
Logstash filter not working Logstash	3	303	December 21, 2018
QUESTION ABOUT "LOGSTASH GROK MATCH" WITH ARRAY Logstash	4	1282	May 27, 2019

Quick Question on Grok and filtering

Related Topics