Hi!!!
I have logs like this:
GetLoginGata: login: 'G:59423457'; deviceId: 'FF7567DE-8822-4D0F-9E2E-651A202B6B58'
And I want to get fields with grok filter in my config:
grok {
match => [ "message", " login: %{WORD:login}" ]
tag_on_failure => []
}
grok {
match => [ "message", " deviceid: %{WORD:device-id}" ]
tag_on_failure => []
}
But it's didn't come. Where is mistake?
There are multiple problems here.
- The device-id string contains hyphens. I don't think WORD matches hyphens.
- There's a single quote on each side of the value and single quotes are also not included in WORD.
You could e.g. use this grok filter:
filter {
grok {
match => [
"message",
"^GetLoginGata: login: '(?<login>[^']+)'; deviceId: '(?<deviceid>[^']+)'"
]
}
}
1 Like
Brilliant, many thanks
Where I can get more information about syntax in grok filter?
For example what does it means '(?[^']+)'?
Grok expressions are regular expressions with the addition of %{PATTERN:variable} captures. (?<deviceid>[^']+) isn't grok-specific but a good old regular expression that means "match and save one or more characters that aren't single quotes into the named capture 'deviceid'".
@magnusbaeck
ok, and just for me, if I want to break your code like this:
grok {
match => [ "message", " login: '(?[^']+)' "]
tag_on_failure => []
}
grok {
match => [ "message", " deviceId: '(?[^']+)' "]
tag_on_failure => []
}
fields not coming. Where is mistake here? Sorry for noob questions.
Please make configuration snippets preformatted so that things that look like HTML tags aren't stripped. I'm going to assume your configuration actually says (?<login>[^']+) rather than (?[^']+).
I don't know off the top of my head why the above doesn't work and I don't have time to debug it. Why do you want multiple filters?