Hi all,
I want to grok a message like
blablabla: entry_1, entry_2, entry_3
the message has at least 1 entry after the : and CAN HAVE up to x entries, which are separated with ",".
I need a grok which matches the first entry and also matches every optionally entry, separated by a "," all assigned to the field "entries".
Thanks in advance
EDIT: in Rubular it would be just like
([\w]+)
But I cannot figure out how to use this in grok
I would do this in two steps. First split out the key blablabla and the csv data, and then split the data into an array.
filter {
grok {
match => { "message" => "[^:]*: %{GREEDYDATA:mycsvdata}"}
}
mutate {
split => {"mycsvdata" => "," }
}
}
This will result in:
"mycsvdata":["entry_1"," entry_2"," entry_3"]is there no way with grok? this line is a part of a pattern and my filter consists of many many patterns. so I have to split this line in the pattern itself.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.