1

I've been tasked with managing our ELK stack and writing rules for elastalert, but need a specific part of one field I already have as its own field in order to use elastalert's query_key functionality on that field. We're using these rules here:

https://github.com/hpcugent/logstash-patterns/blob/master/files/grok-patterns

  • and the field I need is one part of a URIPATHPARAM which we already catch:

/path_field_1/UID/path_field_2/path_params

Where UID is a 32 character unique identifier of 0-9,a-z,A-Z. I can access the whole URI in Kibana, but I eventually need UID to be its own field so that I can use elastalert's query_key over it. The lines containing this UID are always preceded by "/path_to_field_1/".

As a total novice, I'm not sure what might be some (good?) ways to achieve this - and the documentation (which I've been pouring over for a week) is pretty arcane.

Min.E.On
  • 109
  • 1
  • 1
  • 9

1 Answers1

2

You were on the right track looking at grok, if the preceding bit is always the same, you could use grok to grab the UID

grok {
  match => {
    "uri_field" => "/path_to_field_1/%{DATA:UID}/%{GREEDYDATA}"
  }
}
Will Barnwell
  • 4,049
  • 21
  • 34
  • They are a bit short on examples, luckily SO is here! – Will Barnwell Jul 05 '16 at 20:00
  • Wonderful - this is actually what I was initially thinking was the solution, but it's very difficult to discern that that is how it works from the docs. Thanks! uri_field corresponds to the URI field I have already captured, and this will produce a field that is solely the UID, named UID, correct? – Min.E.On Jul 05 '16 at 20:06
  • it should, the `%{GREEDYDATA}` is not stored because it is an unnamed capture which grok, by default, discards – Will Barnwell Jul 05 '16 at 20:19