How to write grok filter in logstash to accept variable arguments

Question

How to write grok filter rule, if message contains transactions of variable arguments.

For example:

22-Jun-2015 04:45:56 Transaction for Bill 123 item1=100 item2=200 item3=300
22-Jun-2015 05:45:23 Transaction for Bill 124 item1=200
22-Jun-2015 06:23:36 Transaction for Bill 125 item4=400 item2=200 item1=100 item5=500

We can match date, time, bill # in the above case but how to handle for variable arguments item here.

Use the [kv filter](https://www.elastic.co/guide/en/logstash/current/plugins-filters-kv.html)? — Magnus Bäck, Jul 03 '15 at 14:02

score 0 · Answer 1 · answered Jul 04 '15 at 19:23

Finally I was able to do that using kv{} option of logstash

For example:

 item1=100&item2=200&item3=300
 item1=100&item2=200&item3=300&item4=400

I created two messages and then I got the below output;

{
   "message" => "item1=100&item2=200&item3=300",
  "@version" => "1",
"@timestamp" => "2015-07-04T19:20:15.831Z",
      "host" => "viswesn-PC",
     "item1" => "100",
     "item2" => "200",
     "item3" => "300",
      "tags" => [
          [0] "true"
      ]
}
  {
   "message" => "item1=100&item2=200&item3=300&item4=400",
  "@version" => "1",
"@timestamp" => "2015-07-04T19:20:25.866Z",
      "host" => "viswesn-PC",
     "item1" => "100",
     "item2" => "200",
     "item3" => "300",
     "item4" => "400",
      "tags" => [
         [0] "true"
   ]
}

How to write grok filter in logstash to accept variable arguments

1 Answers1