Substring of column

Need to add a new column with substring/extracted value of available column.

Example:

Your XYZ Debit Card has been charged $ xxxxx.xx

I need to add columns

cardtype => Debit/Credit
Amount => xxxxx.xx

would great if any one help me out for conf file setting

Use grok

    grok {
        match => { "message" => [ "%{WORD:cardType} Card", "\$ %{NUMBER:amount:float}" ] }
        break_on_match => false
    }

I need two add two columns that is cardtype and amount for example
23xxxxxxxxx,Mobilink,6222,Your MCB Debit Card has been charged PKR xx

Your MCB Debit Card has been charged for PKR this add to one column cardtype
PKR xxxx goes to another column which is Amount
Result would be like this
Message : 23xxxxxxxxx,Mobilink,6222,Your MCB Debit Card has been charged PKR xx
Cardtype : Debit which match from the message which card type is
Amount : xxxxxx

Do you expect xxxxxx to match xx or a substring of xxxxxxxxx?

xxxxxxx to match with PKR XX

OK, so in the grok pattern I wrote replace \$ with PKR, or change it to (\$|PKR) if you want it to match either.

can you write the full command it will be help full

match => { "message" => [ "%{WORD:cardType} Card", "(\$|PKR) %{NUMBER:amount:float}" ] }

Thanks a ton !!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.