karmax
Reputation: 181
How to extract value from log with grok and logstash
I must extract value from a log composed by row like this:
<38>1 [2017-03-15T08:45:23.168Z] apache.01.mysite.com event=login;src_ip=xxx.xxx.xxx.xxx\, xxx.xxx.xxx.xxx\, xxx.xxx.xxx.xxx;site=FE-B1-Site;cstnr=1454528;user=498119;result=SUCCESS
For example with %{IP:source} I obtain only the first IP but, sometimes, I have 3 IP address. How I can extract all IP,'cstnr', 'result' and 'user' ?
Upvotes: 0
Views: 301
Answers (1)
sysadmin1138
Reputation: 1303
Looks like you have a nested, delimited key-value format. First delimiter is ;, with each of those a key=value. Additionally, the values are delimited on ,'. You have enough grok to get the first IP address, but I suggest doing something a bit different:
- Use
grokto grab the entire string after your site-name. - Use the
kvfilter withfield_split => ';', which will create fields named the same as your keys. - Use the
csvfilter on thesrc_ipaddress captured in thekvfilter stage.- Use
columns => [ cstnr', 'result', 'user' ]to get those fields named right.
- Use
Upvotes: 1
Related Questions
- How to filter a value from the request line of log
- logstash Grok to extract different data from log file containing different log
- logstash log parsing with regex and grok
- grok pattern to extract data from log message
- How to write the grok expression for my log?
- using grok to extract log data
- Trying to parse a custom log using grok
- how do you parse text in grok
- how to assign particular value from logstash output
- grok pattern for extracting info in logstash