Regex in config for dynamic columns in logstash -

- July 15, 2010

i have log file of have pasted 2 rows below:

nov 26 14:20:32 172.16.0.1 date=2014-11-26 time=14:18:37 devname=xxxxcccfffff devid=xxxccvvgffdd logid=3454363464 type=traffic subtype=forward level=notice vd=root srcip=172.16.1.251 srcport=62032 srcintf="combo_lan" dstip=x.x.x.x dstport=x dstintf="wan2" sessionid=16172588 status=close user="x.x" group="open group" policyid=2 dstcountry="united states" srccountry="reserved" trandisp=snat transip=x.x.x.x transport=x service=http proto=6 applist="block_applications" duration=11 sentbyte=2377 rcvdbyte=784 sentpkt=6 rcvdpkt=7 identidx=5 utmaction=passthrough utmevent=webfilter utmsubtype=ftgd-cat urlcnt=1 hostname="tacoda.at.atwola.com" catdesc="advertising"

nov 26 14:20:32 172.16.0.1 date=2014-11-26 time=14:18:37 devname=xxxxcccfffff devid=xxxccvvgffdd logid=3454363464 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd="root" policyid=2 identidx=5 sessionid=15536743 user="x.x" srcip=x.x.x.x srcport=x srcintf="combo_lan" dstip=x.x.x.x dstport=80 dstintf="wan2" service="http" hostname="streaming.sbismart.com" profiletype="webfilter_profile" profile="open group_policy" status="passthrough" reqtype="direct" url="/diffusion/" sentbyte=984 rcvdbyte=202 msg="url belongs allowed category in policy" method=domain class=0 cat=18 catdesc="brokerage , trading"

my question can parse data if number of columns , order fixed.

but, how parse dynamic columns in config file don't _grokparsefailure?

ruby plugin can you.

here configuration:

input {     stdin{     } }  filter {     ruby {         code => '             msg = event["message"]             msgindex = msg.index("date=")             msginsert = msg[msgindex..-1]             msgmap = msginsert.scan(/(\w+)=("(.*?)"|([^ ]+))/).map { |(first, second)| [first, second] }             x in msgmap                 key = x[0]                 value = x[1]                 event[key] = value             end         '     } }  output {     stdout{         codec => rubydebug     } }

first, key=value pair index start value date=
then map key,value string array.
use for loop insert value.

i have try logs , can create correspond field value. hope can you

Search This Blog

GCM

Regex in config for dynamic columns in logstash -

Comments

Post a Comment

Popular posts from this blog

javascript - Any ideas when Firefox is likely to implement lengthAdjust and textLength? -

matlab - "Contour not rendered for non-finite ZData" -

delphi - Indy UDP Read Contents of Adata -