Grok filter to retrieve simple words or character from text/string

scch · November 27, 2017, 7:25am

Hi , I have used CSV filter to import data .
Can someone share example code to use grok filter to retrieve simple words from fields imported previously through csv filter and add them to new field.
up to last dot

magnusbaeck · November 27, 2017, 9:10am

grok {
   match => ["filenamefield", "\.(?<extension>[^.]+)$"]
}

scch · November 27, 2017, 2:39pm

Thanks Magnus however it is not working do i need to make some changes
Also can you guide me to some tutorial apart from grok resource on Elasticsearch website.

by adding above code, data got accumulated in to one field "type" and there is a field tags which says "_grokparsefailure"

magnusbaeck · November 27, 2017, 8:56pm

do i need to make some changes

Well, you should obviously replace "filenamefield" with the name of the field containing the filename from which you want to extract the filename extension.

But to help more than that I need to see your configuration and what an example event looks like. Use a stdout { codec => rubydebug } output.

Also can you guide me to some tutorial apart from grok resource on Elasticsearch website.

Grok expressions are more or less regular expressions and there are tons of resources describing how they work.

scch · November 30, 2017, 2:00pm

Hi Magnus,
Thanks it is working
one more issue if the file name does not have any extension .jpg .bmp etc..
rubydebug say's >>>>> "tags" => [[0] "_grokparsefailure" ],

how to handle this exception.? is there a way to put "TXT" where file extension not found.

scch · November 30, 2017, 2:05pm

and can you explain me whats happening in later part of it basically [^.]+)$]

magnusbaeck · December 1, 2017, 6:43am

how to handle this exception.? is there a way to put "TXT" where file extension not found.

if "_grokparsefailure" in [tags] {
  mutate {
    add_field => {
      "extension" => "txt"
    }
    remove_tag => ["_grokparsefailure"]
  }
}

and can you explain me whats happening in later part of it basically [^.]+)$]

[^.] means "any character except a period", + means "one or more occurrences of the preceding token", and $ means end-of-string.

These are standard regular expressions. If you don't know them it should be on your todo list.

scch · December 1, 2017, 8:06am

Thanks a lot this works..

If you don't know them it should be on your todo list.

agree.. in-fact lot to learn in ELK

system · December 29, 2017, 8:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.