Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

have a grok filter create nested fields as a result

Tags:

syslog

logstash

logstash-grok

I have a drupal watchdog syslog file that I want to parse into essentially two nested fields, the syslog part and the message part so that I get this result

syslogpart: {
  timestamp: "",
  host: "",
  ...
},
messagepart:{
  parsedfield1: "",
  parsedfield2: "",
  ...
}

I tried making a custom pattern that looks like this:

DRUPALSYSLOG (%{SYSLOGTIMESTAMP:date} %{SYSLOGHOST:logsource} %{WORD:program}: %{URL:domain}\|%{EPOCH:epoch}\|%{WORD:instigator}\|%{IP:ip}\|%{URL:referrer}\|%{URL:request}\|(?<user_id>\d+)\|\|)

and then run match => ['message', '%{DRUPALSYSLOG:drupal}'}

but I don't get a nested response, I get a textblock drupal: "ALL THE MATCHING FIELDS IN ONE STRING" and then all the matches separately as well but not nested under drupal but rather on the same level.

like image 399
Killerpixler Avatar asked Feb 26 '15 17:02

Killerpixler

People also ask

How does a grok filter work?

Grok works by combining text patterns into something that matches your logs. The SYNTAX is the name of the pattern that will match your text. For example, “3.44” will be matched by the NUMBER pattern and “55.3. 244.1” will be matched by the IP pattern.

What is grok filter in LogStash?

Put simply, grok is a way to match a line against a regular expression, map specific parts of the line into dedicated fields, and perform actions based on this mapping. Built-in, there are over 200 Logstash patterns for filtering items such as words, numbers, and dates in AWS, Bacula, Bro, Linux-Syslog and more.

What is a grok parser?

Grok is a pattern matching syntax that you can use to parse arbitrary text and structure it. Grok is good for parsing syslog, apache, and other webserver logs, mysql logs, and in general, any log format that is written for human consumption.

1 Answers

Yes, this is expected. I don't think there's a way to produce nested fields with grok. I suspect you'll have to use the mutate filter to move them into place.

mutate {
    rename => {
      "date" => "[drupal][date]"
      "instigator" => "[drupal][instigator]"
      ...
    }
  }

If you have a lot of fields it might be more convenient to use a ruby filter. This is especially true if you prefix Drupal fields with e.g. "drupal." – then you'd write a filter to move all fields with that prefix into a subfield with the same name.

like image 103
Magnus Bäck Avatar answered Sep 18 '22 21:09

Magnus Bäck
Sign in to Comment

Related questions

How to parse json in logstash /grok from a text file line?
Logstash multiple inputs multiple outputs
Logstash SQL Server Data Import
Updating the default index number_of_replicas setting for new indices
Import JSON Files into Logstash + Elasticsearch + Kibana
Logstash agent not indexing anymore
Logstash indexing JSON arrays
How to do a time range search in Kibana
Logstash close file descriptors?
logstash _grokparsefailure issues
How to setup ElasticSearch index structure with multiple entity bindings
best way to send docker container logs to logstash
How to generate @timestamp in logstash by combining two fields / columns of input csv
Logstash filter remove_field for all fields except a specified list of fields
Simplest way to get data from AWS mysql RDS to AWS Elasticsearch?
Send spring boot logs directly to logstash with no file
How to decrease Logstash Memory Usage
How to reference environment variables in logstash configuration file?
which jdbc (connector/j) to install for mac os
logstash tab separator not escaping

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!