Grock inception

Incauto · March 12, 2020, 2:51pm

Hi, it is posible to do a grok inside a groked field?

This is mi log line:

monitor:Something_otherthing_anotherthing

the main grok

grok {
         match => {"message" => "monitor:%{DATA:monitor}"}
}

result: Something_otherthing_anotherthing

and from the monitor field do another grok, and capture the first string before the underscore

  mutate {
        copy => {"monitor"=>"name"}
  }
  grok {
    match => {"name"=> "%{DATA:name}_"}
  }

result: Something

It will work?
is there a more eficient way to do this?

Fabio-sama · March 12, 2020, 2:55pm

Sure you can do a grok after a grok. Basically in the first grok you are extracting some pieces of the original message and storing them in given fields. Nothing prevents you from applying a grok on those brand-new fields.

If there is a more efficient way to do that, it really depends on the kind of log you are working on. For example in your case, obviously that is not the most efficient method since you can obviously do everything in the first grok.

But for more complex situations it might be useful to apply more than one grok in your pipeline.

Incauto · March 12, 2020, 3:02pm

Hi Fabio, I didn't do it in the first grok, because I need both fields, the one created in the original grok, and the latter with only the name in it....also, in some logs the name is composed of two strings separated by underscores, and I think it will be easier to apply conditionals to a separated field....Thanks for your answer!

Fabio-sama · March 12, 2020, 3:06pm

Yes but you could make a grok with a break_on_match => false clause, extract everything you want and then work on it. But it's not said it'd be the best solution.

So yeah, you can do multiple groks in your pipeline

system · April 9, 2020, 3:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.