Grok Filter - alternative patterns for same field?

Ben_Bryzak · June 24, 2020, 9:19am

Hi - I'm trying to create a grok pattern to match a field that contains one or more words and assign a field name to it. When the field contains multiple words, it is wrapped in quotes:

eg. FieldValue or "Field Value" are potential matches.

I've tried 2 approaches:

("(?<FieldName>[^"]+)")|(?<FieldName>\S+)

(?<FieldName>((?:")([^"]+)(?:"))|(\S+))

The first pattern works fine if there is a quoted string (multiple words) but returns NULL if the string to be matched is a single word (I'm assuming because the first pattern in the boolean regex expression wasn't matched?)

The second pattern matches on both quoted strings and single words but includes the quotes in the match, which I don't want.

Another option would be to just remove the quotes using another filter after the grok filter has finished executing but I would prefer to do it in one go if possible.

Any advice is welcome.

Thanks,

Ben.

Jenni · June 24, 2020, 1:05pm

I think you'll either have to stick with your second approach or use two grok patterns. You can't use the same name twice in one regular expression.

grok {
  match => {
    'message' =>
      [
	    '"(?<FieldName>[^"]+)"',
	    '(?<FieldName>\S+)'
      ]
  }
  break_on_match => true
}

Edit: I thought about it again and this could work by using lookaheads and lookbehinds (but for the string "hey it would only match hey, not "hey):
(?<FieldName>((?<=")([^"]+)(?="))|((?!")\S+))

Ben_Bryzak · June 26, 2020, 7:34am

Thanks for the response Jenni - I tried the pattern in your edit but it still didn't seem to work. I think it might be easier to just match with the quotes and remove them in a subsequent filter.

Appreciate your help.

cheers,

Ben.

system · July 24, 2020, 7:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.