Generate grok custom pattern to message filed

Mohan_vel · June 17, 2020, 6:13am

Hi All, I am having a query related to grok processor.
For example this is my message filed

{
"message":"agentId:agent003"
}

I want to Grok this and my output should me something like this

{
"message":"agentId:agent003",
"agentId":"agent003"
}

Could some one help me on this how to achieve this? If i am able to do it for one field i can manage for rest of my fields. Thanks in advance.

fadjar340 · June 17, 2020, 6:49am

Try this:

\"agentId:%{NOTSPACE:agentId}\"

You can check at https://grokconstructor.appspot.com/do/match

Mohan_vel · June 17, 2020, 10:50am

Thanks a lot @fadjar340

Mohan_vel · June 17, 2020, 12:33pm

Hi @fadjar340,

when i try to create a ingest pipeline using grok processor. Above mentioned grok pattern not accepted. Kindly advise.

    PUT _ingest/pipeline/dissectpipeline
    {
      "description" : "split message content",
      "processors": [
        {
          "grok": {
              "field": "message",
              "patterns": ["\"agentId:%{NOTSPACE:agentId}\""]
            }
        }
       }
      ]
    }

fadjar340 · June 18, 2020, 5:53am

If you use logstash, put the script in to the

    filter {
       grok {
            match => { "message" => "\"agentId:%{NOTSPACE:agentId}\"}" 
       }
    }

Regards,
Fadjar Tandabawana

Mohan_vel · June 18, 2020, 5:51pm

Hi @fadjar340,

Thanks for reply but i configured everything in filebeat so i just wanted to create it as a ingest pipeline and have to use my pipeline Id in filebeat.

So while creating pipeline with the given grok pattern i am getting error. So could you please help me to achieve this in ingest pipeline methods as i have given my pipeline above.

fadjar340 · June 18, 2020, 6:00pm

Mohan_vel:

    PUT _ingest/pipeline/dissectpipeline
    {
      "description" : "split message content",
      "processors": [
        {
          "grok": {
              "field": "message",
              "patterns": ["\"agentId:%{NOTSPACE:agentId}\""]
            }
        }
       }
      ]
    }

There are unnecessary bracket that make an error

     PUT _ingest/pipeline/dissectpipeline
    {
      "description" : "split message content",
      "processors": [
        {
          "grok": {
              "field": "message",
              "patterns": ["\"agentId:%{NOTSPACE:agentId}\""]
            }
        }
       }  <= unnecessary 
      ]
    }

Mohan_vel · June 18, 2020, 6:09pm

Oh God, simple, Wasted lot more time on this.
Thanks @fadjar340

Mohan_vel · June 18, 2020, 6:12pm

@fadjar340 - Also created another topic related to dissect pipeline added lnk for your reference that is something similar to this.

multiple pattern dissect processor

system · July 16, 2020, 6:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest pipeline should work based on conditions Elasticsearch	2	367	July 18, 2020
About Ingest Processor patterns Elastic Stack ingest-pipeline	4	293	June 20, 2022
[Ingest pipeline] tag and trace match Elasticsearch ingest-pipeline	1	941	March 31, 2022
How to create multiple pattern dissect processor - Ingest pipeline Elasticsearch	2	737	July 20, 2020
Elastic Agent, Ingest pipeline processing fields Elastic Agent	3	369	January 19, 2023

Generate grok custom pattern to message filed

Related topics