Grok filter inquiry

ibrahimsharaf · June 12, 2017, 2:49pm

Hello, how to extract a specific word out of a string without spaces, for example:
'stock_status': 'IN_STOCK','title_ar': u'Happy Wedding Card'

I want to extract the (IN_STOCK), I tried:

grok{
match => [ "message", "'stock_status': '%{GREEDYDATA:stock_value}'," ]
}

But the output is:
"IN_STOCK','title_ar': u'Happy Wedding Card"

How can I add something like a termination character (e.g: comma).

Kryten · June 12, 2017, 10:09pm

You could try this pattern in your Grok:

grok{
    match => [ "message", "'stock_status': '.*status\'\:\s\'(?<stock_status>\w*)" ]
}

ibrahimsharaf · June 13, 2017, 7:19pm

@Kryten I tried it, but it doesn't match

Kryten · June 13, 2017, 7:34pm

Hmm... It should:

Is the example line you supplied accurate?

ibrahimsharaf · June 13, 2017, 7:52pm

But shouldn't I try the whole pattern instead?

Kryten · June 13, 2017, 7:57pm

Do me a favour.. paste the pattern you are trying to use into the message so I can use it too to see what you see..
Why do you want more in the pattern than you need?

ibrahimsharaf · June 13, 2017, 8:43pm

Issue fixed, this one is working now

grok{
    match => [ "message", ".*status\'\:\s\'(?<stock_status>\w*)" ]
}

Thank you @Kryten!

system · July 11, 2017, 8:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.