Split Logfiles

A.Klos · June 28, 2018, 8:56am

Hi,

we have following logformat:

How could I split this into fields?

currently my grok pattern (not all fields ):

match => [ "message" , "%{TIMESTAMP_ISO8601:timestamp}|%{WORD:field1}|%{WORD:field2}|%{WORD:field3}|%{WORD:field4}|%{GREEDYDATA:msg}" ]

Some Fields also could be empty.

How do I split those logs into seperate fields?

Regards

magnusbaeck · June 28, 2018, 11:10am

You may find the dissect filter easier to use in this case.

A.Klos · June 28, 2018, 11:46am

I think it would be possible by split:

mutate{
split => {"message" => "|"}
}

Output is now:

[0] Field1
[1] Field2
[2] Field3

and so on

If I try to add [1] into a field I got grokparsefailure
add_field => [ "received_from", "%{message}[3]" ]

What's wrong?

A.Klos · June 28, 2018, 12:29pm

Not it looks working:

if [type] == "FilePluginInput" {
grok {

      match => [ "message" , "%{TIMESTAMP_ISO8601:timestamp}\|%{GREEDYDATA:nachricht}" ]
  }
  mutate{
    split => {"nachricht" => "|"}
     add_field => ["severity", "%{[nachricht][7]}" ]
     add_field => ["msg", "%{[nachricht][9]}" ]

}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
timezone => [ "Europe/Berlin" ]
target => "@timestamp"
}
}
}

Because whe have 2 differnt seperators (; and |), would it be possible using if then else statement?

If seperator = "|" then
if [type] == "FilePluginInput" {
grok {

      match => [ "message" , "%{TIMESTAMP_ISO8601:timestamp}\|%{GREEDYDATA:nachricht}" ]
  }
  mutate{
    split => {"nachricht" => "|"}
     add_field => ["severity", "%{[nachricht][7]}" ]
     add_field => ["msg", "%{[nachricht][9]}" ]

}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
timezone => [ "Europe/Berlin" ]
target => "@timestamp"
}
}
}
else
if [type] == "FilePluginInput" {
grok {

      match => [ "message" , "%{TIMESTAMP_ISO8601:timestamp}\|%{GREEDYDATA:nachricht}" ]
  }
  mutate{
    split => {"nachricht" => ";"}
     add_field => ["severity", "%{[nachricht][7]}" ]
     add_field => ["msg", "%{[nachricht][9]}" ]

}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
timezone => [ "Europe/Berlin" ]
target => "@timestamp"
}
}
}

system · July 26, 2018, 12:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create fields by splitting a log Logstash	8	1226	April 2, 2020
Splitting message into fields to create chart based on those fields Logstash	7	3758	August 9, 2017
Splitting multiple strings into subfields Logstash	1	233	October 2, 2020
Could not split in multiline Logs in Logstash Logstash	4	872	July 12, 2018
My log has the timestamp splited i need to join various fields into a timestamp unique field Logstash	5	909	August 23, 2017

Split Logfiles

Related topics