Comma as delimiter in grok and null values

Hello everyone,

I have a txt file with a log structure like this:

####field1,field2,field3,field4,field5,field6,field7,field8,field9,field10,field11,field12, field13,field14

As you can see, every field is delimited by comma. How can I use comma in grok pattern?

Sometimes the field6 is null, doesn't have value.

So, what my pattern need to have to use comma to delimiter fields in my logs and how I can accept null values in some field.

Actually my grok pattern:

####match => ["message","((%{INT:field1}),(%{INT:field2}),(%{INT:field3}),(%{GREEDYDATA:field4}),(%{DATA:field5}),(%{DATA:field6}),(%{DATA:field7}),(%{DATA:field8}),(%{DATA:field9}),(%{DATA:field10}),(%{DATA:field11}),(%{DATA:field12}),(%{DATA:field13}),(%{DATA:field14}))"]

Thanks for help,

Best regards.

Why not just use the CSV filter?

I don't use CSV filter because my logs don't come from CSV files.

It doesn't matter, it's just a way of breaking up the data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.