GROK filter with regular expression not working

Hans · November 25, 2016, 6:53pm

Hi, I have a regular expression in a GROK filter, where the first filter is working however the next 5 filters are not working. Could someone kindly look at the filter and possibly point out where I am going wrong?

grok {
match => ["CELL_ID_LONG", "(?<CELL_ID>\d{5})$"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_5>\d{5})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_4>\d{4})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_3>\d{3})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_2>\d{2})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_1>\d{1})"]
}

with the first match I am extracting the last 5 digits of a long number, this one is working without problems:

match => ["CELL_ID_LONG", "(?<CELL_ID>\d{5})$"]

Then the next 5 once, I am trying to extract the 5 to 1 numbers of another long number, this is not working:

match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_5>\d{5})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_4>\d{4})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_3>\d{3})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_2>\d{2})"]
match => ["OTHER_NUMBER", "^(?<OTHER_NUMBER_1>\d{1})"]

The input number for the OTHER_NUMBER match looks something like this:

277263514659

Any assistance with this challenge would be truly appreciated.

magnusbaeck · November 27, 2016, 8:50pm

Please always format your configuration snippets as preformatted text so that it's shown correctly Specifically, your first grok expression reads "(?\d{5})$" above but it's actually "(?<some-field-name>\d{5})$".

As documented, the grok filter stops after the first matched expression. Either use multiple grok filters or use a single expression that extracts all the information. What's the desired result of your parsing of OTHER_NUMBER?

Hans · November 28, 2016, 5:06am

@magnusbaeck, thank you for the feedback and noted on the configuration snippets. I will do multiple grok filters my regular expression knowledge is not that good until now to put it all in one.

magnusbaeck · November 28, 2016, 6:30am

Depending on how you want to parse the string it might be significantly easier to do with a single expression.

system · December 26, 2016, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.