Regex in Kibana 50

ANU_SARA_VARGHESE · October 5, 2016, 10:42am

Hi,

I am trying out applying regex on the message field in the Kibana 5.0 (beta version).

Can you give me some examples for this?

Like if I try to explain further:

message:<189>Sep 13 14:35:31 ::ffff:x.x.x.x Sep 13 14:35:07
sshd[4439]: Failed password for user username from x.x.x.x port xx ssh2

Now, I want to apply a parser(regex)

(?i)(?Accepted|Failed)[\s]+(?password|publickey)[\s]+for[\s]+(?[\S]+)[\s]+from[\s]+(?[\d]{1,3}.[\d]{1,3}.[\d]{1,3}.[\d]{1,3})[\s]+port[\s]+(?[\d]{1,5})

on this at the kibana search tab and extract IP,username,port,etc.

Is this feature enabled in Kibana 5.0 beta or is there something else similar to this possible?

Bargs · October 5, 2016, 9:24pm

If I understand correctly, you want to pull out these individual pieces of information from a single field and display them as their own fields on the Discover tab? It would be best to do this at ingestion time with Logstash or Ingest node, but you could also create a scripted field for each new piece of data you want to pull out. The docs are a little out of date right now, but in 5.0 you'll be able to create scripted fields using the new Painless scripting language which will allow you to create string type fields with a regex.