Merge pull request #638 from apurva-birajdar/GRD-90012

GRD-90899 : Submit changes to fix the grok pattern
IBM · Dec 4, 2024 · 41bfad0 · 41bfad0
2 parents 5efdadd + c8f4bae
commit 41bfad0
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 21 deletions.
diff --git a/...ash-filter-aurora-mysql-guardium/AuroraMysqlOverCloudwatchPackage/AuroraMysql/filter.conf b/...ash-filter-aurora-mysql-guardium/AuroraMysqlOverCloudwatchPackage/AuroraMysql/filter.conf
@@ -3,20 +3,21 @@ filter
         if [type] == "AuroraMysql" {
             grok {
                 match => {
-                    "message" => "(?<ts>[^,]*),(?<serverInstance>[^,]*),(?<userName>[^,]*),(?<clientIp>[^,]*),(?<connectionId>[^,]*),(?<queryId>[^,]*),(?<operation>[^,]*),(?<dbName>[^,]*),(?<originalSQL>[^?]*),%{NUMBER:retcode}"
+                  "message" => [
+                  "(?<ts>[^,]*),(?<serverInstance>[^,]*),(?<userName>[^,]*),(?<clientIp>[^,]*),(?<connectionId>[^,]*),(?<queryId>[^,]*),(?<operation>[^,]*),(?<dbName>[^,]*),%{GREEDYDATA:originalSQL},%{NUMBER:retcode}"
+                  ]
                 }
             }
             if "_grokparsefailure"  in [tags]
             {
                drop{}
             }
-
             if ![dbName] and [message] !~ "FAILED_CONNECT"  {
                 drop {}
             } else {
-                 mutate { gsub => ["originalSQL","[\\]",""]}
-                 mutate { add_field => {"Server_Hostname" => "%{account_id}_%{serverInstance}"} }
-                 auroramysqlguardiumpluginfilter {}
+               mutate { gsub => ["originalSQL","[\\]",""]}
+               mutate { add_field => {"Server_Hostname" => "%{account_id}_%{serverInstance}"} }
+               auroramysqlguardiumpluginfilter {}
             }
 
             mutate {
@@ -26,6 +27,4 @@ filter
                 ]
             }
         }
-
-}
-
+}
diff --git a/filter-plugin/logstash-filter-aurora-mysql-guardium/auroraMysqlCloudwatch.conf b/filter-plugin/logstash-filter-aurora-mysql-guardium/auroraMysqlCloudwatch.conf
@@ -24,7 +24,9 @@ filter
         if [type] == "AuroraMysql" {
             grok {
                 match => {
-                    "message" => "(?<ts>[^,]*),(?<serverInstance>[^,]*),(?<userName>[^,]*),(?<clientIp>[^,]*),(?<connectionId>[^,]*),(?<queryId>[^,]*),(?<operation>[^,]*),(?<dbName>[^,]*),(?<originalSQL>[^?]*),%{NUMBER:retcode}"
+                  "message" => [
+                  "(?<ts>[^,]*),(?<serverInstance>[^,]*),(?<userName>[^,]*),(?<clientIp>[^,]*),(?<connectionId>[^,]*),(?<queryId>[^,]*),(?<operation>[^,]*),(?<dbName>[^,]*),%{GREEDYDATA:originalSQL},%{NUMBER:retcode}"
+                  ]
                 }
             }
             if "_grokparsefailure"  in [tags]

diff --git a/filter-plugin/logstash-filter-aurora-mysql-guardium/auroraSQL-test-genertor.conf b/filter-plugin/logstash-filter-aurora-mysql-guardium/auroraSQL-test-genertor.conf
@@ -13,13 +13,14 @@ input{
     }
   }
 
-
 filter
-    {
-        if [type] == "cloudwatch" {
+{
+        if [type] == "AuroraMysql" {
             grok {
                 match => {
-                    "message" => "(?<ts>[^,]*),(?<serverInstance>[^,]*),(?<userName>[^,]*),(?<clientIp>[^,]*),(?<connectionId>[^,]*),(?<queryId>[^,]*),(?<operation>[^,]*),(?<dbName>[^,]*),(?<originalSQL>[^?]*),%{NUMBER:retcode}"
+                  "message" => [
+                  "(?<ts>[^,]*),(?<serverInstance>[^,]*),(?<userName>[^,]*),(?<clientIp>[^,]*),(?<connectionId>[^,]*),(?<queryId>[^,]*),(?<operation>[^,]*),(?<dbName>[^,]*),%{GREEDYDATA:originalSQL},%{NUMBER:retcode}"
+                  ]
                 }
             }
             if "_grokparsefailure"  in [tags]
@@ -29,21 +30,19 @@ filter
             if ![dbName] and [message] !~ "FAILED_CONNECT"  {
                 drop {}
             } else {
-             mutate { gsub => ["originalSQL","[\\]",""]}
-             mutate { add_field => {"Server_Hostname" => "%{account_id}_%{serverInstance}"} }
-             auroramysqlguardiumpluginfilter {}
+               mutate { gsub => ["originalSQL","[\\]",""]}
+               mutate { add_field => {"Server_Hostname" => "%{account_id}_%{serverInstance}"} }
+               auroramysqlguardiumpluginfilter {}
             }
+
             mutate {
                 remove_field =>
                 [
-                    "@version","operation","type", "userName", "dbName", "NUMBER","serverInstance","clientIp", "connectionId","queryId","cloudwatch_logs", "@timestamp","retcode","account_id","message","originalSQL","Server_Hostname","sequence","ts","tags","host"
+                    "@version","operation","type", "userName", "dbName", "NUMBER","serverInstance","clientIp", "connectionId","queryId","cloudwatch_logs", "@timestamp","retcode","account_id","message","originalSQL","Server_Hostname"
                 ]
             }
         }
-
-    }
-
-
+}
 output {
 	stdout { codec => rubydebug }