I’m using Grok to extract fields from my firewall’s Syslog messages. The source and destination IP addresses are formatted as follows…
src=10.2.1.1:137:X1 dst=192.168.254.202:137:X0
In addition to the IP address, the port number and firewall interface are also included. What I’d like to do is strip off the port and interface leaving just the IP address. I’ve tried the following but it fails to process…
src=%{IPV4:srcip}\:%{DATA:value0}
In short, using the example above, I’d like to save the source IP to the srcip field and discard everything else. Any help would be greatly appreciated.
If you don’t want to save named fields, don’t name it, and check option Only named captures in extractor, or option only_named_captures: true if you use pipeline function grok()
You can also add keyword UNWANTED for example %{BASE10NUM:UNWANTED} if you want to skip field
The first two - sid, ipscat - process fine. The third - src - does not. When I run the extractor test with src added, I get a message saying “We were not able to run the grok extraction. Please check your parameters.” I even changed the last field from WORD to HOSTNAME as the values include letters but this did not work either. Any other thoughts?
