Does dissect processor in beats support greedy/lazy match?

Elastic Stack Beats
1

I'm using dissect processor to parse a value like
/var/log/containers/calico-node-ltx4t_kube-system_calico-node-21e03abb29adcec39f69e3f76c16eb2b3ed4dd1a51675279de5cedc59bdce56b.log

using tokenizer:/var/log/containers/%{kube_pod_name}_%{kube_namespace_name}_%{container_name}-%{container_id}.log

The result is:

"kube_pod_name": "calico-node-ltx4t",
"container_id": "node-21e03abb29adcec39f69e3f76c16eb2b3ed4dd1a51675279de5cedc59bdce56b"
"kube_namespace_name": "kube-system",
"container_name": "calico",

However, the result I expected is:

"container_id": "21e03abb29adcec39f69e3f76c16eb2b3ed4dd1a51675279de5cedc59bdce56b"
"container_name": "calico-node"

Does dissect processor in beats support greedy/lazy match? Like regexp?

2

I'm afraid this is an edge case and unfortunately I don't see a nice workaround right now. I think you can open an issue for Beats to let the team discuss/prioritize this issue.

3

Thanks!

4

I would drop the fields that you don't need

- drop_fields
        fields: ["kube_pod_name","kube_namespace_name"]
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.