I have a string field named "One".
<165>Original Address=1.1.1.1 1 2021-01-28T15:08:03.136-05:00 DeviceName - - - - fpc3 DHCP Packet Drop: Packet src ip/mac 192.168.123.1/54:48:10:db:86:b6
I use
mutate {
split => {"One" => " "}
}
To split on the space. Which looks like this:
<165>Original, Address=1.1.1.1, Jan, 28, 16:38:42, DeviceName, fpc3, DHCP, Packet, Drop:, Packet, src, ip/mac, 192.168.123.1/54:48:10:db:86:b6
I then use
mutate {
add_field => { "Hostname" => "%{One[5]}" }
}
To create a new field named "Hostname" and use the data in index 5 of the "One" field. However, I get this error in the logstash logs:
Exception caught while applying mutate filter {:exception=>"Invalid FieldReference: `One[5]`"}
According to this documentation, it should work:
Badger
January 28, 2021, 10:11pm
2
The documentation is out of date. The field reference should be
"%{[One][5]}"
References without square brackets was disallowed a few versions back.
That worked. Hopefully the documentation will get updated. One more thing. Once I split on the space:
<165>Original, Address=1.1.1.1, Jan, 28, 16:38:42, DeviceName, fpc3, DHCP, Packet, Drop:, Packet, src, ip/mac, 192.168.123.1/54:48:10:db:86:b6
Is there a way to retrieve just the three indexes at "DHCP, Packet, Drop" then combine them into one new field named "EventType"? So I would have "EventType: DHCP Packet Drop".
Badger
January 29, 2021, 5:01pm
4
Use mutate+add_field with multiple sprintf references
mutate {
add_field => { "Hostname" => "%{[One][6]} %{[One][7]} %{[One][8]}" }
}
system
February 26, 2021, 5:02pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
