Regex to break from specific word or character in a log line

tharu85 · September 26, 2017, 12:03pm

I want to split below log line

"APP-DETECT TeamViewer remote administration tool outbound connection attempt" [Impact: Potentially Vulnerable] From ABC

As like

name : APP-DETECT TeamViewer remote administration tool outbound connection attempt
impact : Potentially Vulnerable
other : From ABC

How can I create a grok or regex to break sentence as above scenario.

guyboertje · September 26, 2017, 1:43pm

I presume LS 5.x or greater.

You can use the dissect filter for this, provided that:

The first section is always in double quotes.
The second section is always in square brackets.
The term "Impact" is always the same and in the same place (let me know if a different term is in that place and you want the field to be named that, dissect has a solution for that)

If so then read on.

filter {
  dissect {
    mapping => { "message" => '"%{name}" [Impact: %{impact}] %{other}' }
  }
}

If some lines are not like this then use an if block to only apply dissect conditionally.

filter {
  if [message] =~ "^\"APP-DETECT.+\[Impact:.+\]"
    dissect {
      mapping => { "message" => '"%{name}" [Impact: %{impact}] %{other}' }
    }
  }
}

system · October 24, 2017, 1:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.