Hi All, I am having a query related to grok processor.
For example this is my message filed
{
"message":"agentId:agent003"
}
I want to Grok this and my output should me something like this
{
"message":"agentId:agent003",
"agentId":"agent003"
}
Could some one help me on this how to achieve this? If i am able to do it for one field i can manage for rest of my fields. Thanks in advance.
Try this:
\"agentId:%{NOTSPACE:agentId}\"
You can check at https://grokconstructor.appspot.com/do/match
Hi @fadjar340,
when i try to create a ingest pipeline using grok processor. Above mentioned grok pattern not accepted. Kindly advise.
PUT _ingest/pipeline/dissectpipeline
{
"description" : "split message content",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["\"agentId:%{NOTSPACE:agentId}\""]
}
}
}
]
}
If you use logstash, put the script in to the
filter {
grok {
match => { "message" => "\"agentId:%{NOTSPACE:agentId}\"}"
}
}
Regards,
Fadjar Tandabawana
Hi @fadjar340,
Thanks for reply but i configured everything in filebeat so i just wanted to create it as a ingest pipeline and have to use my pipeline Id in filebeat.
So while creating pipeline with the given grok pattern i am getting error. So could you please help me to achieve this in ingest pipeline methods as i have given my pipeline above.
There are unnecessary bracket that make an error
PUT _ingest/pipeline/dissectpipeline
{
"description" : "split message content",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["\"agentId:%{NOTSPACE:agentId}\""]
}
}
} <= unnecessary
]
}
@fadjar340 - Also created another topic related to dissect pipeline added lnk for your reference that is something similar to this.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
