Grok match regex

Soren_vdc · July 29, 2021, 9:00am

Hi,

I want to create grok match and have the 2 first words and the last part of the message.
For example:
ERROR;AuthenticationController ;processMessage ;THR=11107194 R=760a52d97983874 T=6031a0711ec3 U=Unauthenticated I=78.21.19.214 A=- C=0001 O=- V=-;Code[TXT-CD,LAA001] transformation to input contract failed

I have this filter
(?((?:.(?!;))+$))

Result:
"exceptionHeader": [
[
";Code[TXT-CD,LAA001] transformation to input contract failed"
]
Any idea how I can add "ERROR;AuthenticationController" to "exceptionHeader"?
thx

Cad · July 29, 2021, 10:28am

Hi,

I don't know if it's possible to put all the values you want directly in a unique field. So i put values in multiple field and put them together in a new field with add_field option.
After that, i remove duplicate data with remove_field.

filter {
  grok {
    match => {
      "message" => "^%{DATA:part1};%{DATA:part2};%{GREEDYDATA};%{DATA:part3}$"
    }
    add_field => { "content" => "%{part1};%{part2};%{part3}"}
    remove_field => [ "part1", "part2", "part3" ]
  }
}

Cad.

Soren_vdc · July 29, 2021, 11:11am

thanks for the info Cad, it works !

system · August 26, 2021, 11:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create new field from existing field using REGEX Logstash	4	1061	November 21, 2019
Grok rewrite field value if matches string Logstash	2	943	December 21, 2016
Match specific word in grok filter Logstash	2	3177	August 22, 2019
Logstash Multiple Grok Add Field Logstash	3	1009	August 24, 2018
Regex in mutate filter Logstash	4	1671	June 15, 2020

Grok match regex

Related topics