Splitting greedydata

Alex_Mendez · March 13, 2017, 7:44pm

Greetings, I'd like to know if its possible to split the message in GREEDYDATA further into searchable data.

Example

line in log stash
grok {
match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME} %{PROG:program}(?:[%{POSINT:pid}])? %{GREEDYDATA:msgsplit}"]

logstash output

logstash[17194]: "msgsplit" => " Did not receive identification string from ",

logstash[17194]: "msgsplit" => " pam_unix(sshd:session): session opened for user tester by (uid=0)",

Can i take GREEDYDATA,"msgsplit" and further break that down? If so , any guidance on the best way to approach this?

rayl7786 · March 13, 2017, 8:36pm

I did something similar,

grok {
match => { "message" => "%{SYSLOGTIMESTAMP:date} %{IPORHOST:hostname} %{GREEDYDATA:msg}" }
}
mutate {
replace => [ "message", "%{msg}" ]
}
mutate {
remove_field => [ "msg" ]
}
grok {
match => { "message" => "" }
}

Not sure if this is what you are looking for.

magnusbaeck · March 14, 2017, 6:25am

grok {
match => { "message" => "%{SYSLOGTIMESTAMP:date} %{IPORHOST:hostname} %{GREEDYDATA:msg}" }
}
mutate {
replace => [ "message", "%{msg}" ]
}
mutate {
remove_field => [ "msg" ]
}

Shorter:

grok {
  match => { "message" => "%{SYSLOGTIMESTAMP:date} %{IPORHOST:hostname} %{GREEDYDATA:msg}" }
  overwrite => ["message"]
}

grok {
match => { "message" => "" }
}

What's this supposed to mean?

magnusbaeck · March 14, 2017, 6:27am

Can i take GREEDYDATA,"msgsplit" and further break that down? If so , any guidance on the best way to approach this?

You can apply another grok filter to your msgsplit field. Or, don't use GREEDYDATA in the first place; just use a more specific pattern.

rayl7786 · March 14, 2017, 12:17pm

Sorry, I should have stated something in between the "". I just left it blank to show what I did. Thank you for the shorter way. I will implement this in my filters.

In yours, the 'overwrite => ["message"]' should show the field name you used for Greedydata, correct?

magnusbaeck · March 14, 2017, 12:30pm

In yours, the 'overwrite => ["message"]' should show the field name you used for Greedydata, correct?

Yes.

Alex_Mendez · April 5, 2017, 6:18pm

thanks i ended up creating a more specific pattern

system · May 3, 2017, 6:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.