Hi all,
I was wondering, is there any way to take an array of matching values out of Grok plugin. let's explain more with an example:
I have a message like "message" = "whatever 0.0.0.0 whatever 1.1.1.1 something 2.2.2.2 ending"
As we can see I have in this example 3 IPs where it can be no IP or n of them. What I am looking for is using something like this %{IPS:ips} and get all IPs in an array in the result.
Any way?
In general, this is the default behavior of the grok filter. If you have multiple patterns referring to the same field, it will insert all found values to it as an array.
E.g.
filter {
grok {
match => ["message","%{NOTSPACE} %{IPV4:ips} %{NOTSPACE} %{IPV4:ips} %{NOTSPACE} %{IPV4:ips}"]
}
}Will give you something like
{
"@timestamp" => xxx,
"ips" => [
[0] "0.0.0.0",
[1] "1.1.1.1",
[2] "2.2.2.2"
],
"@version" => "1",
"host" => "xxx",
"message" => "whatever 0.0.0.0 whatever 1.1.1.1 something 2.2.2.2 ending\r"
}But if you're looking for recursive patterns, which I assume you do given you mention you don't know beforehand the amount of repetitions you'll get, there are 2 avenues:
filter {
ruby {
code => "
event.set('ips', event.get('message').scan(/[0-9.]+/))
"
}
}Sidenote: Depending on the log structure, other filters might be more appropriate and/or cleaner, like CSV/Dissect/etc.
Thanks for the reply, I have tested what you mentioned with Grok debugger but the result is not as expected. Anything I have missed
Have you tried running it in Logstash instead?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
