Base Pattern & optional patterns parsing with logstash

MaikLinnemann · July 17, 2017, 7:56am

Dear Forum,

i have a problem with parsing grok filter. This is working from command line with a ruby test script like it should:

pattern = "%{PFLTR},?%{PORTS}?,?%{ICMP}?"

It parses the lines and gets the stuff from "%{PFLTR}" (Lets call it base string) and optionally gets the stuff from "?%{PORTS}?,?%{ICMP}?" (lets call it optional string)....All Fields are filled either with values or with empty values.

In the grok file i use in logstash, with the same line, it never respects "?%{PORTS}?,?%{ICMP}?". It only gets the stuff from "%{PFLTR}" and the other fields are just empty.

I would provide more info if necessary. Hope that somebody could give me a hint. Thanks in advance,

regards

MaikLinnemann · July 18, 2017, 9:32am

I found the solution by myself. It may help someone....

PFLTR %{PACKETFILTER} ?(%{PORTS}|%{ICMP})?

system · August 15, 2017, 9:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to handle grok optional pattern (?:) Logstash	7	1118	June 1, 2022
Pattern matching issues in Logstash Logstash	2	262	October 13, 2021
Is posible to have iptional field with regex as grok optionals fields? Logstash	6	420	January 6, 2022
Field Values from Pattern Directory Logstash	5	1150	October 11, 2017
Optional grok pattern field doesnt match Logstash	2	289	February 25, 2021

Base Pattern & optional patterns parsing with logstash

Related Topics