Escape pipe \ Vertical Operator (|) in Ingress Pipeline for grok processor

Atul_Gunjal · June 9, 2020, 2:12pm

I want to process logs separated by pipe '|' operator in an ingress pipeline using grok. How can I ignore this character in the pattern?
Log data:

PUT /combined/_doc/1?pipeline=pipeline_combined_logs
{
    "service": "ise7085|19524"
}

Pattern:

{
        "grok": {
          "field": "service",
          "patterns": "%{DATA:user}\|%{DATA:pid}"
        }
        }
      }

Above pattern throw error

"Unrecognized character escape '|'

Thanks!!!

val · June 9, 2020, 2:21pm

You need to use a double backslash

      "patterns": "%{DATA:user}\\|%{DATA:pid}"

Atul_Gunjal · June 9, 2020, 2:59pm

@val I tried your suggestion but it parses only user and pid field has no value now.

val · June 9, 2020, 3:01pm

Try INT instead of DATA

Atul_Gunjal · June 9, 2020, 3:09pm

Thanks @val .. it worked.

val · June 9, 2020, 3:20pm

Cool, glad it helped!

system · July 7, 2020, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.