I'm trying to work with grok to parse a certain log file into fields to use on a ingest pipeline for filebeat. This is my grok pattern as it looks now:
%{TIMESTAMP_ISO8601:log_time} %{NOTSPACE:device_id} %{DATA:OS} %{GREEDYDATA:message}
Everything gets working but the message field in particular comes off like this:
"message": [
[
"a:d:l: Notifying connector 'DEVICE DISCONNECTED' [sn=0046750038, version=8.0, model=Moto Z2 Play, manufacture=motorola]"
I want to have these itens in message as separate fields. For example: version into version field, model into model and manufacture into manufacture. This is the log I'm working with:
2022-07-18 11:55:54,327 [0046750038] [Android] a:d:l: Notifying connector 'DEVICE DISCONNECTED' [sn=0046750038, version=8.0, model=Moto Z2 Play, manufacture=motorola]
I'm a beginner dealing with grok and been trying out to make it happen by what I see on the internet but still couldn't make it. If anyone is able to help I'll be glad!
Best regards.
You can use grok with kv in this case
grok
{
match => {"message" => "%{TIME:TIMESTAMP_ISO8601} \[%{WORD:device_id}\] \[%{DATA:OS}\] %{GREEDYDATA:some} \'%{GREEDYDATA:status}\' \[%{GREEDYDATA:device_details}\]"}
}
kv {
source => "device_details"
field_split_pattern => ","
value_split => "="
}