Extract strings from one field

DavidL · June 30, 2015, 3:29pm

After successfully parsing out this field from my log files, I want to extract information from this field and store it as a separate field, I looked through lots of the filters and didn't find one that serves this purpose, the field looks like this:

/content/folder[@name='*', Inc (t0030427da5p)']/reportView[@name=' **** ** **** ** *** *******']

It should be like a path(text replaced by stars for company's sake), I want information between the bracket, or even better the two names(represented by stars). Any hints would be really appreciated <:

magnusbaeck · June 30, 2015, 8:30pm

Use the grok filter. I'm not 100% sure what result you expect from the example input string, but if you want the text inside the two single-quoted strings the following should work:

grok {
  match => [
    "name-of-field",
    "@name='(?<name1>[^']+)'.*@name='(?<name2>[^']+)'"
  ]
]

If the single-quoted strings themselves can contain single quotes that are escaped somehow it'll take some more care.

DavidL · June 30, 2015, 10:08pm

Thank you magnus, you are great. I did came up with my own grok but yours is much prettier.

David

Topic		Replies	Views
Extract a string from a field and create a new field with that string Logstash	2	10331	March 6, 2017
Grok Parse Help Logstash	4	253	October 9, 2020
Parsing an existing field further Logstash	6	389	September 10, 2021
Extract multiple field/value pairs from single value in JSON string Logstash	3	364	February 28, 2020
Split string from one field from input to three or mutiple in output Logstash	2	308	July 6, 2017

Extract strings from one field

Related topics