Grok and match windows path

Hi.
I have some troubles with matching path to field
here is path in table:
log.file.path C:\Program Files\1cv8\srvinfo\reg_1541\d3367601-19f9-4ad2-afa0-078939886fc5\1Cv8Log\20190217000000.lgp
in json it looks like:
C:\\Program Files\\1cv8\\srvinfo\\reg_1541\\4cd3c2be-4872-4058-a877-fff0cf9958e7\\1Cv8Log\\20190529150000.lgp

So I try match it by string
match=> { "path" => "%{GREEDYDATA}\\reg_1541\\%{DATA:base_id}\\1Cv8Log*"}

I tried this patterns in grok debugger:

%{GREEDYDATA}\reg_1541\%{DATA:base_id}\1Cv8Log*
%{GREEDYDATA}\\reg_1541\\%{DATA:base_id}\\1Cv8Log*
C:\Program Files\1cv8\srvinfo\reg_1541\%{DATA:base_id}\1Cv8Log
%{GREEDYDATA}\reg_1541\%{DATA:base_id}\1Cv8Log
%{GREEDYDATA}\\reg_1541\\%{DATA:base_id}\\1Cv8Log

and they ok, but logstash doesnt create field base_id
Help me pls

Using

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_field => { "[path]" => "C:\Program Files\1cv8\srvinfo\reg_1541\d3367601-19f9-4ad2-afa0-078939886fc5\1Cv8Log\20190217000000.lgp" } }
    grok { match=> { "path" => "%{GREEDYDATA}\\reg_1541\\%{DATA:base_id}\\1Cv8Log*" } }
}
output { stdout { codec => rubydebug { metadata => false } } }

I get

   "base_id" => "d3367601-19f9-4ad2-afa0-078939886fc5",

So something is not as you describe it.

Note that there is no implicit anchoring of grok patterns, so you do not need the leading %{GREEDYDATA}.

So something is not as you describe it.

You are right, mutate is missed:

but I already have this field in doc :

log.file.path C:\Program Files\1cv8\srvinfo\reg_1541\f11cbea7-7da0-42a2-852c-05792caa0a7b\1Cv8Log\20190501000000.lgp`

How can i parse it?
seems that guy stuck in same place

but in my case this works fine:

match=> { "[log][file][path]" => "%{GREEDYDATA}\reg_1541\%{DATA:base_id}\1Cv8Log"}

thanks for help

it works for me as well

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.