Extract multiple substrings from a field using grok

Hi,
I'm trying to extract the job name ("create-machine") and the build number ("**") from the file path but it is not possible to use duplicate keys.
Do you have any other suggestions?

input{
 file{
	  path => [ "/bitnami/jenkins/jenkins_home/jobs/create-machine/builds/**/log", "/bitnami/jenkins/jenkins_home/jobs/delete-machine/builds/**/log" ]
	  add_field => { "test" => "temp" }
	  max_open_files => 99999
	  # Any line not starting with a timestamp should be merged with the previous line
	codec => multiline {
	  # Regex for iso datetime
	  pattern => "\[(\d{4}-\d{2}-\d{2})[A-Z]+(\d{2}:\d{2}:\d{2}).([0-9+-:]+)Z\]"
	  negate => true
	  what => "previous"
	}
 }
}
filter {
	if [test] ==  "temp" {
		dissect {
		  mapping => {
			"message" => "%{timestamp} %{message}"
			}
		}
		mutate {
			copy => { "%{path}" => "componentPath" }
		}
		grok {
			match => {
				"%{componentPath}" => ["(?<component>(?<=jobs\/).*?(?=\/builds))"]
				"%{componentPath}" => ["(?<module>(?<=builds\/).*?(?=\/log))"]
			}
		}
	}
    else if ("_dissectfailure" in [tags]) {
        drop { }
    }
}

Since the path won't change, why do not use dissect?

filter {
    dissect {
        mapping => {
            "path" => "/bitnami/jenkins/jenkins_home/jobs/%{jobName}/builds/%{buildNumber}/log"
        }
    }
}

Thanks a lot.
I didn't know I could use it this way.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.