Substitute GROK by dissect: test of writing

sam1975 · September 13, 2023, 10:05am

hello,
I want to substitute a grok filter by a dissect
In a few words, i want replace this grok filter

grok {
match => { "[raw_syslog_result][syslog_message]" => [
"THREAT,%{WORD:threat_type},%{DATA:generate_time},%{IP:source_ip},%{IP:dest_ip},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA},%{DATA:threat_contentname},%{DATA:threat_category},%{GREEDYDATA}"
]}
}

by this one

dissect{
mapping => {
"THREAT" => "{%threat_type} {%generate_time} {%source_ip}{%dest_ip}{%threat_contentname}{%threat_category}"
}
}

i've doubt on the syntax: is that correct?
Regards

Rios · September 13, 2023, 10:27am

Should be like this:

 dissect {
	mapping => {
        "[raw_syslog_result][syslog_message]" => "THREAT,%{threat_type},%{generate_time} %{source_ip},%{dest_ip},%{},%{},(put %{}enough times),%{threat_contentname},%{threat_category},%{}"
	}

Also you can use CSV plugin for that. Something like this:

  csv{
     source => "[raw_syslog_result][syslog_message]"
     columns => ["THREAT","threat_type", "generate_time"... ] # add other column names
     skip_empty_columns => true
     skip_empty_rows => true
	}

sam1975 · September 13, 2023, 12:07pm

nice! it works

system · October 11, 2023, 12:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.