Extracting the last word of an event/line (Grok)

nino · January 13, 2020, 7:56am

Hello all,

i am looking for a Grok pattern to retrieve the last word a matching line with literal.

input (file content)

THISLINE 1,011.53EUR 12,815.50EUR 2,940.17 100,011.53EUR

filter

grok{

      match => {
          message => [ "(?<field>(?<=THISLINE )[^\r]*)" ]
     }

}

output

{
         "@version" => "1",
         "path" => "",
         "message" => " 1,011.53EUR 12,815.50EUR 2,940.17 100,011.53EUR",
         "@timestamp" => 2020-01-06T23:00:00.000Z
}

I need to extract the last word/number of the event and i've couldn't find a succesful pattern.

Best regards

Badger · January 13, 2020, 1:38pm

What do you want to extract from that?

nino · January 13, 2020, 2:30pm

Sorry Badger, I forgot. The last quantity 100,011.53EUR. I've asked for a pattern because maybe it's more easy to extract the last quantity with a pattern that extract last word/number of an event/line. Sure It can be done using spliting the field and retrieve the part that i want pointing to the splited index. But i would to learn patterns and regular expresion to save lines of code.

100,011.53EUR

Best regards

elasticforme · January 13, 2020, 3:00pm

this will be badger's solution. he suggested to me on another thread.

ruby { code => " event.set('last_field', event.get('message').split(' ').last)" }

nino · January 13, 2020, 3:04pm

Thank you so much elasticforme. I wonder if this can be done directly aplying a pattern or regular expresion to the event.

system · February 10, 2020, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.