Hello,
I trying to capture specific fields in log like a phone_number.
In grok debbuger, i try this (regular expression found) :
{'/^(+33|0)[67][0-9]{8}$/':PHONE_NUMBER}
Entry : 0614151612
Result : Not found.
I try this too :
(?<PHONE_NUMBER<'/^(+33|0)[67][0-9]{8}$/')
(the < in the wrong sens its ok, else it's doesn't display ^^)
Hi @Beuhlet_Reseau ,
try this one:
(?<PHONE_NUMBER>^[+]{0,1}[33]{0,2}[0]{0,1}[67][0-9]{8}$)
worked in the debugger with the string 0614151612 and also +33614151612
Oh thank you it's work !
To pay attention to the space (or bizarre line break) between fields, I must use the function Notspace ?
value1|value2 [SPACE] value2|value3| [SPACE] value4|
[SPACE] + [BREAK LINE] value5
%{DATA:val1}[|]{NOTSPACE}%{DATA:val2}[|]%{DATA:val3}[|]%{NOTSPACE}%{DATA:val4}[|]{NOTSPACE}%{DATA:val5}
You see what i mean ? ^^
(because the upload of my logs is really disastrous because of the spaces between the logs, after the logs ...)
Hi @Beuhlet_Reseau ,
you can use also something like \s for space and \n for new line.
value1|value2 value2|value3| value4|
value5
%{DATA:val1}\x7c%{DATA:val2}\s%{DATA:val2}\x7c%{DATA:val2}\x7c\s%{DATA:val1}\x7c\n%{DATA:val2}$
\x7c is looking for |
think the easiest way is to try the grok debugger and also take a look at the default patterns, that's the way i did it at the beginning.
Grok debug
Grok patterns
regex editor
hope that helps
Cheers,
Dirk
Thank you @lueneburger
In the grok debug website my request is too long and it's return me a timeout...
\x7c is better than [|] to cut fields ?
The \s is the same than %{SPACE} ?
(\s it's not recognized in grok debug it's normal ?)
should work, just type in the patterns without match => [ "message", "...."] or show the request here.
and that's only one log event?
One line is composed of 60 fields.
My grok have 60 pattern (lots of DATA to test conf)
When i start logstash it's indicate :
[2017-02-20T15:08:12,532][WARN ][logstash.filters.grok ] Timeout executing grok
After a difficult start it sends lines but cut in the middle (I suppose it Because of the presence of a large space in my lines).
It's very complicated 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.