Comma as delimiter in grok and null values

Miguel_Bessa · December 9, 2016, 9:04pm

Hello everyone,

I have a txt file with a log structure like this:

####field1,field2,field3,field4,field5,field6,field7,field8,field9,field10,field11,field12, field13,field14

As you can see, every field is delimited by comma. How can I use comma in grok pattern?

Sometimes the field6 is null, doesn't have value.

So, what my pattern need to have to use comma to delimiter fields in my logs and how I can accept null values in some field.

Actually my grok pattern:

####match => ["message","((%{INT:field1}),(%{INT:field2}),(%{INT:field3}),(%{GREEDYDATA:field4}),(%{DATA:field5}),(%{DATA:field6}),(%{DATA:field7}),(%{DATA:field8}),(%{DATA:field9}),(%{DATA:field10}),(%{DATA:field11}),(%{DATA:field12}),(%{DATA:field13}),(%{DATA:field14}))"]

Thanks for help,

Best regards.

warkolm · December 12, 2016, 4:33am

Why not just use the CSV filter?

Miguel_Bessa · December 12, 2016, 10:50am

I don't use CSV filter because my logs don't come from CSV files.

warkolm · December 12, 2016, 11:33pm

It doesn't matter, it's just a way of breaking up the data.

system · January 9, 2017, 11:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.