Escape pipe \ Vertical Operator (|) in Ingress Pipeline for grok processor

Atul_Gunjal · June 9, 2020, 2:12pm

I want to process logs separated by pipe '|' operator in an ingress pipeline using grok. How can I ignore this character in the pattern?
Log data:

PUT /combined/_doc/1?pipeline=pipeline_combined_logs
{
    "service": "ise7085|19524"
}

Pattern:

{
        "grok": {
          "field": "service",
          "patterns": "%{DATA:user}\|%{DATA:pid}"
        }
        }
      }

Above pattern throw error

"Unrecognized character escape '|'

Thanks!!!

val · June 9, 2020, 2:21pm

You need to use a double backslash

      "patterns": "%{DATA:user}\\|%{DATA:pid}"

Atul_Gunjal · June 9, 2020, 2:59pm

@val I tried your suggestion but it parses only user and pid field has no value now.

val · June 9, 2020, 3:01pm

Try INT instead of DATA

Atul_Gunjal · June 9, 2020, 3:09pm

Thanks @val .. it worked.

val · June 9, 2020, 3:20pm

Cool, glad it helped!

system · July 7, 2020, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with escaping pipe "\|" in Ingest Pipeline Elasticsearch ingest-pipeline	8	660	November 5, 2021
Grok processor in pipeline throws json_parse_exception Elasticsearch	3	877	April 24, 2018
Ingest Node Pipeline doesn't allow for "\[" pattern Elasticsearch	3	1257	November 16, 2020
Square brackets in ingest node grok pattern Elasticsearch	3	2717	January 2, 2017
PATTERN ERROR WHEN ADDING IN INGEST PIPELINE GROK PROCESSOR Kibana	1	359	February 15, 2022