Splitting IP addresses

ecamero2 · March 29, 2018, 4:06pm

Good Morning,

I have a need to remove part of a field if it exists. I have a field that contains either one or two ip addresses:

ie: "1.2.3.4" OR "1.2.3.4,5.6.7.8"

I only want to retain the first address (before the comma) if there is two. This is my current config:

 if [auth_info][ipaddress] =~ "," {
    grok {
        match => { "[auth_info][ipaddress]" => "%{DATA:[auth_info][ipaddress]}," }
    }
 }

But it is never even getting through the conditional (no events are hitting the grok)

Any ideas?

yaauie · March 29, 2018, 6:02pm

the right-hand side of your expression is a literal string, not a pattern; we should be more informative when encountering this, because a value will never "match" a literal string.

I believe you are looking for:

if [auth_info][ipaddress] =~ /,/ {
  # ...
}

What version of Logstash? I'd like to make sure we catch this and provide a useful error message in the future.

yaauie · March 29, 2018, 6:14pm

You may also be better off performance-wise using the gsub directive of the mutate filter:

filter {
  if [auth_info][ipaddress] =~ /,/ {
    mutate {
      gsub => [
        "[auth_info][ipaddress]", ",.*$", ""
      ]
    }
  }
}

system · April 26, 2018, 6:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help splitting field into two Logstash	5	475	May 23, 2019
Do Grok patterns have a place in the if =~ conditional matching? Logstash	3	5924	July 6, 2017
Conditional filtering by source with IP addresses Logstash	7	7000	April 11, 2017
Match multiple ip segment Regex Logstash	4	813	October 13, 2017
Last IP from possible comma separated list of IPs Logstash	3	386	June 4, 2020

Splitting IP addresses

Related topics