Grok filter for a custom message

mrashid · January 9, 2019, 12:27pm

**

The build ID of the run is : 104

**

I have the above line in the message field . I am trying to use Grok filter to extract the entire line to a new field by the name of "filteredValue".

WHat I have tried :

filter {
grok {
match => { "message =>%{{The build ID of the run is %{NUMBER}:filteredValue}}"}
}
}

Please let me know where exactly I am making the mistake. Thank you.

Badger · January 9, 2019, 1:41pm

Try

grok { match => { "message" => "^The build ID of the run is : %{NUMBER:filteredValue}" } }

mrashid · January 10, 2019, 7:24am

Thank you so much for the input. I am able to filter. However, I am not getting the entire line in the field - "filteredValue" . I am getting only the number i.e 104 in the above line.

Is there any way to get the entire line ? Thanks in advance.

Badger · January 10, 2019, 2:01pm

If you want the entire event copied to a new field then I would suggest using a conditional to test that it is a line you care about and then using mutate+copy to copy message to some other field.

mrashid · January 10, 2019, 7:40pm

okay. Thank you. I will try and get back.

mrashid · January 10, 2019, 7:41pm

@Badger kindly give some input on this : Copy data from a field and make it available for all the documents

Thanks a lot.

system · February 7, 2019, 7:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.