Capturing group inside a custom grok pattern

agosmaker · January 8, 2019, 2:47pm

Hello,
Let's imagine we have string
some text aaabbbccc another text
We want to extract bbb.

we can use "embedded" regex (https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html Custom Patterns "option 1"
aaa(?<superb>.*)ccc
and get
{
"superb": [
"bbb"
]
}
But it's more neatly to extract this logic to custom pattern in custom pattern file.
we can use custom pattern in custom pattern file ("option 2")
BPATTERN aaa(?<superb>.*)ccc
result:
{
"bvar": [
"aaabbbccc"
],
"superb": [
"bbb"
]
}

Now we have excess variable bvar.
Of course we can mutate and remove bvar, but does another method exist to not create (and remove further) bvar variable?

I tried syntax like
%{BPATTERN:}
but it doesn't allow omit variable.

Badger · January 8, 2019, 3:22pm

Leave out the colon. This works

grok {
    pattern_definitions => { "BPATTERN" => "aaa(?<superb>.*)ccc" }
    match => { "message" => "%{BPATTERN}" }
}

It would work with patterns_dir too.

agosmaker · January 8, 2019, 5:07pm

Thank you for the answer. I'll check but it doesn't work at least in http://grokdebug.herokuapp.com/

agosmaker · January 17, 2019, 5:56pm

Yes, it works. Many thanks.
All uppercase names in http://grokdebug.herokuapp.com/ like
"YEAR": [
[
"2018"
]
]
really aren't included in ouput json by logstash. So everything is OK

system · February 14, 2019, 5:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can I store entire grok pattern in a variable Logstash	4	479	May 28, 2019
Grok parsing using custom pattern Logstash	3	1031	August 9, 2017
Defining grok patterns Logstash	22	16229	July 6, 2017
Grok working, but how do I put it in a pattern? Logstash	3	506	January 19, 2018
Grok filter is not working (custom pattern) Logstash	6	1702	May 10, 2017

Capturing group inside a custom grok pattern

Related topics