newbie filter question - logstash-users

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

logstash-users

Home

Discussions

+ new post

About this group

Join this group

Message from discussion newbie filter question

Michael Baydoun

View profile

More options Apr 27 2012, 3:15 pm

From: Michael Baydoun <indymicha...@gmail.com>

Date: Fri, 27 Apr 2012 15:15:40 -0400

Local: Fri, Apr 27 2012 3:15 pm

Subject: Re: [logstash-users] newbie filter question

Print | View thread | Show original | Report this message | Find messages by this author

But of course, combining the dns and mutate filters did work
dns {
type => 'linux-syslog'
reverse => [ "@source_host", "%{logsource}" ]
action => "replace"
}
mutate {
type => 'linux-syslog'
replace => [ "@source_host", "%{logsource}" ]
}

Thanks for pointing me in the right direction Harlan!

On Fri, Apr 27, 2012 at 2:36 PM, Michael Baydoun <indymicha...@gmail.com>wrote:

> Instead it is replacing the ip address in the logsource field with the
> results of the dns lookup

> On Fri, Apr 27, 2012 at 2:27 PM, Michael Baydoun <indymicha...@gmail.com>wrote:

>> Maybe there is a better way to go
>> There is also a field named "logsource" that contains the ip address of
>> the network devices
>> The logsource field has correct data in it for all the network devices
>> I've checked

>> Maybe the dns filter is the way to go, so I tried the following, wanting
>> it to reverse lookup the ip in the logsource field and place the result in
>> the source_host field. Doesn't appear to work, did I mis interpret the dns
>> filter doc? http://logstash.net/docs/1.1.0/filters/dns

>> dns {
>> type => 'linux-syslog'
>> reverse => [ "@source_host", "%{logsource}" ]
>> action => "replace"
>> }

>> On Fri, Apr 27, 2012 at 2:15 PM, Harlan Barnes <hbar...@pobox.com> wrote:

>>> On 04/27/2012 01:51 PM, Michael Baydoun wrote:

>>>> Interesting, that worked a little to well
>>>> Some of the other records have funny program names like "16255502
>>>> <http://graylog2.wi/messages?**filters%5Badditional%5D%**
>>>> 5Bkeys%5D%5B%5D=program&**filters%5Badditional%5D%**
>>>> 5Bvalues%5D%5B%5D=16255502<http://graylog2.wi/messages?filters%5Badditional%5D%5Bkeys%5D%5B%5D=p...>
>>>> >"

>>>> Now I have a couple hundred extra hosts on my hosts tab

>>>> A conditional would solve it, but I don't see any conditional in mutate

>>> Well there are conditionals based on the type and the tag ... Do you
>>> mean a conditional like "if this value looks like a hostname" then execute
>>> the filter? You could do that with a grep filter using add_tag to mark the
>>> ones that match. Then applying that tag to your mutate filter would do it.

>>> After looking it a little closer, it looks like the gelf output can
>>> handle this directly and not need a mutate filter.

>>> http://logstash.net/docs/1.1.**0/outputs/gelf<http://logstash.net/docs/1.1.0/outputs/gelf>

>>> sender
>>> - Value type is string
>>> - Default value is "%{@source_host}"
>>> Allow overriding of the gelf 'sender' field. This is useful if you want
>>> to use something other than the event's source host as the "sender" of an
>>> event. A common case for this is using the application name instead of the
>>> hostname.

>>> So adding something like:

>>> sender => "%{program}"

>>> to your output might do it.

>>> But again, you probably have the same problem with the odd values in the
>>> program.

>>> Harlan

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options