Ask Your Question

Revision history [back]

A better approach would be to use Log data format and with a Grok pattern to parse the data. This works for me with your data:

Grok Pattern Definition: NATNAME (?:[0-9A-Za-z-]+)

Grok Pattern: %{TIMESTAMP_ISO8601:timestamp} %{WORD:logname}, applianceName=%{WORD:applianceName}, tenantName=%{WORD:tenantName}, observationTimeMilliseconds=%{POSINT:observationTimeMilliseconds}, flowId=%{POSINT:flowId}, flowCookie=%{POSINT:flowCookie}, sourceIPv4Address=%{IPV4:sourceIPv4Address}, destinationIPv4Address=%{IPV4:destinationIPv4Address}, postNATSourceIPv4Address=%{IPV4:postNATSourceIPv4Address}, postNATDestinationIPv4Address=%{IPV4:postNATDestinationIPv4Address}, sourcePort=%{POSINT:sourcePort}, destinationPort=%{POSINT:destinationPort}, postNAPTsourceTransportPort=%{POSINT:postNAPTsourceTransportPort}, postNAPTdestinationTransportPort=%{POSINT:postNAPTdestinationTransportPort}, tenantId=%{NONNEGINT:tenantId}, vsnId=%{NONNEGINT:vsnId}, applianceId=%{NONNEGINT:applianceId}, protocolIdentifier=%{NONNEGINT:protocolIdentifier}, sourceNatPoolName=%{NATNAME:sourceNatPoolName}, destNatPoolName=%{NATNAME:destNatPoolName}, natRuleName=%{NATNAME:natRuleName}, natEvent=%{NATNAME:natEvent}

image description