Radonusername
Reputation: 19
Logstash filter to copy some text from the log message
I'm currently loggin some text message like this:
"Some text: some variable text"
"Some other text: some other variable text"
And I need to copy the variable part of the message to a new field, in order to have two new fields like this
"field1" : " some variable text"
"field2" : "some other variable text"
So far only been able to copy the entire text message to a new field with the filebeat processors, and the same with logstash. I've done some research and I saw I mightbe able to use conditionals, and with the mutate filter:
filter {
if "Some text" in [message] {
mutate { add_field =>{ "field1" => }}}
But I'vent found how to copy the "some variable text" into the new field. Does someone knows how to do it?
Upvotes: 0
Views: 715
Answers (1)
YLR
Reputation: 1540
One solution is to use directly grok filter like this :
filter{
grok {
match => {
"message" => "^Some text: %{GREEDYDATA:field1}"
}
}
grok {
match => {
"message" => "^Some other text: %{GREEDYDATA:field2}"
}
}
}
The advantage is this is more readable and more easy to maintain than if condition.
You can change the grok to handle all case in one line :
filter{
grok {
match => {
"message" => "^(Some text: %{GREEDYDATA:field1}|Some other text: %{GREEDYDATA:field2})"
}
}
}
Upvotes: 1
Related Questions
- How to filter log file using logtash and filebeat
- how to parse and extract specific fields and store it into another field in logstash filter?
- Extract JSON from a log Logstash
- Paring log text through grok filter in logstash on the given log structure
- Logstash matches multiple value
- how to store my json log file to logstash with json filter
- Grok filter for logstash to match a specific value from a log file
- how to filter a simple message via LogStash to ElasticSearch dividing the message in multiple fields
- Filter specific Message with logstash before sending to ElasticSearch
- Logstash filter timestamp from log message