Capturing only first group in Logstash regex

Elastic Stack Logstash
1

Hello everyone!

Can someone explain me next please.
I have log:

"bool":{"must":[{"bool":{"should":[{"codesearch_score_query":{"query_id":"9baec4c4-d910-4023-899e-5a580bfbd3a3","query":{"term":{"content":"copy"}}}},{"function_score":{"boost":10000000,"query":{"term":{"fileName":{"_name":"fileName_copy","value":"copy"}}}}}]}},{"bool":{"should":[{"codesearch_score_query":{"query_id":"9baec4c4-d910-4023-899e-5a580bfbd3a3","query":{"term":{"content":"new"}}}},{"function_score":{"boost":10000000,"query":{"term":{"fileName":{"_name":"fileName_new","value":"new"}}}}}]}},{"bool":{"should":[{"codesearch_score_query":{"query_id":"9baec4c4-d910-4023-899e-5a580bfbd3a3","query":{"term":{"content":"version"}}}},{"function_score":{"boost":10000000,"query":{"term":{"fileName":{"_name":"fileName_version","value":"version"}}}}}]}},{"bool":{"should":[{"codesearch_score_query":{"query_id":"9baec4c4-d910-4023-899e-5a580bfbd3a3","query":{"term":{"content":"and"}}}},{"function_score":{"boost":10000000,"query":{"term":{"fileName":{"_name":"fileName_and","value":"and"}}}}}]}},{"bool":{"should":[{"codesearch_score_query":{"query_id":"9baec4c4-d910-4023-899e-5a580bfbd3a3","query":{"term":{"content":"install"}}}},{"function_score":{"boost":10000000,"query":{"term":{"fileName":{"_name":"fileName_install","value":"install"}}}}}]}},{"bool":{"should":[{"codesearch_score_query":{"query_id":"9baec4c4-d910-4023-899e-5a580bfbd3a3","query":{"term":{"content":"previous"}}}},{"function_score":{"boost":10000000,"query":{"term":{"fileName":{"_name":"fileName_previous","value":"previous"}}}}}]}},{"bool":{"should":

and regex:

grok {
			match => { "[Query_body]" => "(?<=fileName)(?<body>.*)"}
        }

2019-06-04_17-59-10
2019-06-04_17-59-10974×864 82.6 KB

It matching many times but i need only first group. How i can to do this? If it possible.
Sorry for my English.

2

If you just want the "copy" from filename_copy then you could use

grok { match => { "message" => '(?<=fileName_)(?<body>.+?)"' } }
3

Hi, thanks for response.
With this pattern i have many matches like on screenshot.
I need take only first or concatenate all matches to array like
[
"1 value",
"2 value",
...
etc
]

4

Can someone help with my problem? Or it impossible in standard Logstash config?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.