Menu
I'm trying to parse a logfile using grok
Each line of the logfile has fields separated by commas:
13,home,ABC,Get,,Private, Public,1.2.3 ecc... I'm using match like this: match => [ "message", "%{NUMBER:requestId},%{WORD:ServerHost},%{WORD:Service},...
My question is: Can I allow optional field? At times some of the fileds might be empty ,,
Is there a pattern that matches a string like this 2.3.5 ? ( a kind of version number )
783
Use the ? operator to denote "zero or one occurrence of the previous token", so e.g. (?:%{IP:ip})? (or maybe %{IP:ip}? is enough) although you probably want (?:\s+%{IP:ip}) so that the spaces are optional too.
Put simply, grok is a way to match a line against a regular expression, map specific parts of the line into dedicated fields, and perform actions based on this mapping. Built-in, there are over 200 Logstash patterns for filtering items such as words, numbers, and dates in AWS, Bacula, Bro, Linux-Syslog and more.
At it's base, grok is based on regular expressions, so you can surround a pattern with ()? to make it optional -- for example (%{NUMBER:requestId})?,
If there isn't a grok pattern that suits your needs, you can always create a named extraction like this: (?<version>[\d\.]+) which would extract into version, a string that has any number of digits and dots in it.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
