Grok Filter Pattern with Comma

sarthak2016 · June 13, 2016, 5:27pm

Hello All,

I need %{GREEDYDATA:Text1} till first comma

Here is the input file data
02/06/2016 01:01:07,Text1Data,Text2Datap1,Text2Datap2,Text2Datap3,1046,547,error

Grok Expression
%{DATESTAMP:Time},%{GREEDYDATA:Text1},%{GREEDYDATA:Text2},%{INT:value1},%{INT:value2},%{GREEDYDATA:Status}

Current Output
{
"Time": [
"02/06/2016 01:01:07"
],
"Text1": [
"Text1Data,Text2Datap1,Text2Datap2"
],
"Text2": [
"Text2Datap3"
],
"value1": [
"1046"
],
"value2": [
"547"
],
"Status": [
"error"
]
}

Expected Output
{
"Time": [
"02/06/2016 01:01:07"
],
"Text1": [
"Text1Data"
],
"Text2": [
"Text2Datap1,Text2Datap2,Text2Datap3"
],
"value1": [
"1046"
],
"value2": [
"547"
],
"Status": [
"error"
]
}

Thanks for your help in Advance

Eric_Amick · June 13, 2016, 5:45pm

The most likely answer is to not use GREEDYDATA. Try (?<Text1>[^,]*) instead of %{GREEDYDATA:Text1}.

sarthak2016 · June 13, 2016, 5:49pm

Hello Eric,

Thanks for the response,
As per your suggestion, i have updated expression as below

But it gives no match

Eric_Amick · June 13, 2016, 5:52pm

You need to change all the occurrences of GREEDYDATA using the same basic approach as the first.

sarthak2016 · June 13, 2016, 6:01pm

Hello Eric,

If possible, can you please provide me complete expression ?

Thanks

Eric_Amick · June 13, 2016, 6:36pm

%{DATESTAMP:Time},(?<Text1>[^,]*),(?<Text2>[^,]*),%{INT:value1},%{INT:value2},(?<Status>[^,]*)

This is all on one line, obviously.

sarthak2016 · June 13, 2016, 7:28pm

Thanks Eric,

I got correct expected output now,

magnusbaeck · June 13, 2016, 8:13pm

Since your input is CSV, why not use the csv filter instead of grok?