Rsyslog to logstash as json -> extract pattern from message

vasilev · June 13, 2024, 9:27am

Hello all,

I am sending rsyslog data to logstash via udp. Here is the logstash configuration:

input {
udp {
port => 15044
codec => "json"
type => "rsyslog"
}
}
filter {
if [srvtype] == "test" {
json {
source => ""
remove_field => ["facility"]
}
mutate {
add_field => {
"test" => ""
}
rename => {
"[message]" => "[errormessage]"
}
}
}
}

The message is something like:

text text text (TEXT1.TEXT2) [Thread 489] (Msg 1/1) XYZ2154: text...

the interesting part for me is TEXT1 and XYZ2154.
is there any way to take these strings and add them in a new field in the mutate ?

thank you

yago82 · June 13, 2024, 11:12am

Hi,

Here's an example of how you might use the grok filter to extract the TEXT1 and XYZ2154 parts of your message:

filter {
  if [srvtype] == "test" {
    grok {
      match => { "message" => ".*\(%{WORD:TEXT1}\.%{WORD:TEXT2}\).*%{WORD:code}:.*" }
    }
    mutate {
      remove_field => ["facility"]
      rename => { "message" => "errormessage" }
    }
  }
}

Regards

vasilev · June 13, 2024, 12:02pm

Thank you for the reply.

is working fine !

Topic		Replies	Views
Logstash Filter JSON syslog message field is not getting parsed Logstash	4	554	August 15, 2022
Parsing data from the message field of incoming json Logstash	2	626	September 14, 2017
How to extract json out of an event? Logstash	9	2488	July 12, 2018
Extract IP from message into a separate field Logstash	4	5637	January 9, 2018
Design options for ingesting syslog data Logstash	5	1257	May 18, 2020

Rsyslog to logstash as json -> extract pattern from message

Related Topics