Capturing group inside a custom grok pattern

agosmaker · January 8, 2019, 2:47pm

Hello,
Let's imagine we have string
some text aaabbbccc another text
We want to extract bbb.

we can use "embedded" regex (https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html Custom Patterns "option 1"
aaa(?<superb>.*)ccc
and get
{
"superb": [
"bbb"
]
}
But it's more neatly to extract this logic to custom pattern in custom pattern file.
we can use custom pattern in custom pattern file ("option 2")
BPATTERN aaa(?<superb>.*)ccc
result:
{
"bvar": [
"aaabbbccc"
],
"superb": [
"bbb"
]
}

Now we have excess variable bvar.
Of course we can mutate and remove bvar, but does another method exist to not create (and remove further) bvar variable?

I tried syntax like
%{BPATTERN:}
but it doesn't allow omit variable.

Badger · January 8, 2019, 3:22pm

Leave out the colon. This works

grok {
    pattern_definitions => { "BPATTERN" => "aaa(?<superb>.*)ccc" }
    match => { "message" => "%{BPATTERN}" }
}

It would work with patterns_dir too.

agosmaker · January 8, 2019, 5:07pm

Thank you for the answer. I'll check but it doesn't work at least in http://grokdebug.herokuapp.com/

agosmaker · January 17, 2019, 5:56pm

Yes, it works. Many thanks.
All uppercase names in http://grokdebug.herokuapp.com/ like
"YEAR": [
[
"2018"
]
]
really aren't included in ouput json by logstash. So everything is OK

system · February 14, 2019, 5:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.