Reputation: 11
How to extract a field that is contained inside of another field via logstash grok config
So let's say I have the following log message that I'm trying to capture via a grok filter:
"2018-10-02 18:00:00 INFO THIS_IS_A_TEST_MESSAGE"
I want to extract "THIS_IS_A_TEST_MESSAGE" as a field, but then additionally I want to capture just the word TEST as another field. I need them both to create some Kibana visualizations, but it requires them to be separate for aggregation purposes.
The current grok I have looks something like this:
match => { "message" => "%{TIME:time} %{LOGLEVEL:logLevel} %{WORD:payload}" }
So as I have it that creates 3 fields: time, logLevel, and payload; however, I need it to capture 4 fields, but the 4th field lies within the payload field. How can I adjust my grok to do this?
I am very new to ELK stack so still getting used to writing these configs.
Upvotes: 1
Views: 178
Answers (1)
Reputation: 4110
Use another grok filter on the payload field.
match => { "payload" => "[^_]*_[^_]*_[^_]*_%{DATA:data}_" }
I don't know what the data you want to extract is. I just took the data between the third and fourth _.
With the data you provided, I'm getting:data: TEST
Upvotes: 0
Related Questions
- how to parse and extract specific fields and store it into another field in logstash filter?
- grok pattern to extract data from log message
- Split a field from a document into multiple fields
- How to pull specific data from log using logstash and Grok and index as fields in Kibana for every record?
- Grok filter for logstash to match a specific value from a log file
- logstash extract and move nested fields into new parent field
- Logstash define field within a field
- how to extract a portion of a field and store it into another field in logstash filter?
- How to pull specific data out of a message in LogStash
- How can you parse 2 properties out of 1 value with grok in logstash?