Grok Debugger - hard to find identification string for my difficult example

Datakids · May 21, 2019, 1:50pm

{Result=[{Index=1, PropertyName=, ResourceA1=here, ResourceA2=heretoo, ResourceA3=hereagain, ResourceA4=herewego, ResourceKey=transactions.ui.rfc.messages.label.defaultMessage, ServiceKey='6457A5674GF01ED98EAC1Z9934909736', ServiceName=transactions_Simulations, Text=alliswellstructured-:o), Type=2},

Hi @ all,
i struggle with above mentioned unstructured pattern and would like to extract parts into
5 new fields while indexing using logstash grok :
ResourceA1=here
ResourceA2=heretoo
ResourceA3=hereagain
ResourceA4=herewego
Text=alliswellstructured-:o)

Due to its specific start and length
I'm unable to solve the right pattern.
Hope you can help.

Thanks in advance

sjabiulla · May 21, 2019, 2:03pm

You can use KV filter, as your log is already in Key Value format.

filter{
	kv{ 
		source => "message" 
	}
}

Edit : You can use mutate filter to remove the fields that you don't want to index, because kv filter will add all the keys present in the log as fields.

Badger · May 21, 2019, 2:26pm

I would suggest

mutate { gsub => [ "message", "^{Result=\[{", "" ] }
kv { field_split => "," value_split => "=" trim_key => " " }

Datakids · May 22, 2019, 6:52am

Hi,
wow if I'd known how easy that is...
Thanks for reply

Datakids · May 22, 2019, 7:21am

Hi,
thanks too for reply but I'm unsure where to close the missing braces in right way?
Thats like try and error

Datakids · May 23, 2019, 2:28pm

Hi all,

I found a way to handle this case as good as possible @ my personal experience level but for my knowledge I have one more question:

{Result=[{ bla=2, bla=4, bla6 ,Type=2}]}

The First Entry removed by:

mutate {
gsub => [ "getMessage", "^{Result=\[", "" ]}

Works!

Now Id like to remove the last entry with like a similar gsub:

mutate {
gsub => [ "getMessage", "^,Type=2\}\]\}", "" ]}

But it wont work!

Please let me know how I can remove it!

Thanks

Badger · May 23, 2019, 2:51pm

] has a special meaning in a regexp (it closes a character group) so it needs to be escaped using \. That is not the case for }, which does not need to be escaped.

Datakids · May 23, 2019, 3:08pm

Oh man then I were right but tought I were wrong because the Closed Square Bracket behind Type2 associated to the opening and the obvious to close were not obvious though...

grafik

Thanks, you saved my day

Datakids · May 23, 2019, 3:19pm

Badger:

Datakids:
gsub => [ "getMessage", "^,Type=2\}\]\}", "" ]}
] has a special meaning in a regexp (it closes a character group) so it needs to be escaped using \. That is not the case for }, which does not need to be escaped.

me again, its not working
,Type=2}]}
still part of the pattern
What I Did to solve:

First remove all Brackets then the field itself:

mutate {
gsub => [ "getMessage", "\\[|\\]", "" ]}
	
mutate {
gsub => [ "getMessage", "\{\}", "" ]}

mutate {
gsub => [ "getMessage", "Type=2", "" ]}

Badger · May 23, 2019, 3:27pm

mutate { gsub => [ "message", ",Type=2}\]}$", "" ]}

should work. You were anchoring the pattern to ^.

Datakids · May 23, 2019, 3:38pm

no sadly no ,Type=2}]} still there
and thats the reason why I have headaches of thus hmm... logstash filter...
Many ways to Rom but none arrives...

system · June 20, 2019, 3:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.