I am wanting to filter out the last column of a log (in this case, the one with the number 3.20) to only show results 75.00 and higher.
Here is what the field i'm trying to parse out looks like:
<133>Feb 24 11:44:03 HostDBP01 HostDBP: sda 0.00 40.00 0.00 170.00 0.00 7.60 91.58 0.09 0.52 0.00 0.52 0.19 3.20
Attached is a photo of my current filter/regex that gets close sometimes, but still checks every single column (instead of just the last one).
Is this possible with Nagios Log Server?
Regex to filter out last column of a log
Regex to filter out last column of a log
You do not have the required permissions to view the files attached to this post.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Regex to filter out last column of a log
Are they all 13 number sets long?
maybe something line this
This would match anything for the first 12 sets and then 80+ for the last set
maybe something line this
Code: Select all
(([0-9]+.[0-9]{2} ){12}[8-9]+.[0-9]{2})Re: Regex to filter out last column of a log
Yes, they are all 13 number sets long.scottwilkerson wrote:Are they all 13 number sets long?
maybe something line thisThis would match anything for the first 12 sets and then 80+ for the last setCode: Select all
(([0-9]+.[0-9]{2} ){12}[8-9]+.[0-9]{2})
Is that a new regex that you think I should add on to the existing one that I have? Or just replace it? If I replace it in Nagios Log Server, I get 0 results, just a constant loading. I know for fact that there are results in the range that should appear.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Regex to filter out last column of a log
This was just a guess, but I do see that I made a mistake
try this
I don't have any data like this so I'm really just throwing something out there based on this doc
https://www.elastic.co/guide/en/elastic ... query.html
try this
Code: Select all
(([0-9]+.[0-9]{2} ){12}[8-9]+[0-9].[0-9]{2})https://www.elastic.co/guide/en/elastic ... query.html
Re: Regex to filter out last column of a log
Still no go.scottwilkerson wrote:This was just a guess, but I do see that I made a mistake
try thisI don't have any data like this so I'm really just throwing something out there based on this docCode: Select all
(([0-9]+.[0-9]{2} ){12}[8-9]+[0-9].[0-9]{2})
https://www.elastic.co/guide/en/elastic ... query.html
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Regex to filter out last column of a log
I have tried everything I could think of and the more I try, the more I believe it isn't possible without breaking the messages up when they come in with a grok filter and placing each of the values in their own fields.
https://assets.nagios.com/downloads/nag ... ilters.pdf
https://assets.nagios.com/downloads/nag ... ilters.pdf
Re: Regex to filter out last column of a log
Alright, that might be a better option.
Could you give me an idea of what grok pattern/filter input would be best to use to accomplish this issue?
Could you give me an idea of what grok pattern/filter input would be best to use to accomplish this issue?
Re: Regex to filter out last column of a log
Code: Select all
if [host] == '0.0.0.0' {
grok {
match => [ 'message', '<%{INT}>%{MONTH} %{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND} %{WORD} %{WORD}: %{WORD} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM} %{BASE10NUM:IOUTIL}' ]
overwrite => [ 'message' ]
}
}The IP 0.0.0.0 is replaced with the actual valid ip.
-
scottwilkerson
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Regex to filter out last column of a log
Using the http://grokdebug.herokuapp.com/
and this line for reference
I came up with this grok filter
This would split the fields into val1 to val13
then you can just look at val13
and this line for reference
Code: Select all
<133>Feb 24 11:44:03 HostDBP01 HostDBP: sda 0.00 40.00 0.00 170.00 0.00 7.60 91.58 0.09 0.52 0.00 0.52 0.19 3.20Code: Select all
%{SYSLOG5424PRI}%{SYSLOGBASE} %{WORD:sda} %{BASE16FLOAT:val1} %{BASE16FLOAT:val2} %{BASE16FLOAT:val3} %{BASE16FLOAT:val4} %{BASE16FLOAT:val5} %{BASE16FLOAT:val6} %{BASE16FLOAT:val7} %{BASE16FLOAT:val8} %{BASE16FLOAT:val9} %{BASE16FLOAT:val10} %{BASE16FLOAT:val11} %{BASE16FLOAT:val12} %{BASE16FLOAT:val13}then you can just look at val13
Re: Regex to filter out last column of a log
That's great, but I can't just throw that Grok Filter into Nagios Log Server (or can I?), I have to script it out like I did above. How would that be done? If it were that simple, I feel like my example above wouldn't have had issues with it.scottwilkerson wrote:Using the http://grokdebug.herokuapp.com/
and this line for referenceI came up with this grok filterCode: Select all
<133>Feb 24 11:44:03 HostDBP01 HostDBP: sda 0.00 40.00 0.00 170.00 0.00 7.60 91.58 0.09 0.52 0.00 0.52 0.19 3.20This would split the fields into val1 to val13Code: Select all
%{SYSLOG5424PRI}%{SYSLOGBASE} %{WORD:sda} %{BASE16FLOAT:val1} %{BASE16FLOAT:val2} %{BASE16FLOAT:val3} %{BASE16FLOAT:val4} %{BASE16FLOAT:val5} %{BASE16FLOAT:val6} %{BASE16FLOAT:val7} %{BASE16FLOAT:val8} %{BASE16FLOAT:val9} %{BASE16FLOAT:val10} %{BASE16FLOAT:val11} %{BASE16FLOAT:val12} %{BASE16FLOAT:val13}
then you can just look at val13