How to extract a field that is contained inside of another field via logstash grok config

1
votes

So let's say I have the following log message that I'm trying to capture via a grok filter:

"2018-10-02 18:00:00 INFO THIS_IS_A_TEST_MESSAGE"

I want to extract "THIS_IS_A_TEST_MESSAGE" as a field, but then additionally I want to capture just the word TEST as another field. I need them both to create some Kibana visualizations, but it requires them to be separate for aggregation purposes.

The current grok I have looks something like this:

match => { "message" => "%{TIME:time} %{LOGLEVEL:logLevel} %{WORD:payload}" }

So as I have it that creates 3 fields: time, logLevel, and payload; however, I need it to capture 4 fields, but the 4th field lies within the payload field. How can I adjust my grok to do this?

I am very new to ELK stack so still getting used to writing these configs.

1
logstashkibanaelastic-stacklogstash-grok
To test your grok pattern, here's an adress: grokconstructor.appspot.com/do/match#resultbaudsp

1 Answers

0
votes

Use another grok filter on the payload field.

match => { "payload" => "[^_]*_[^_]*_[^_]*_%{DATA:data}_" }

I don't know what the data you want to extract is. I just took the data between the third and fourth _.

With the data you provided, I'm getting:data: TEST