Grok match regex

Soren_vdc · July 29, 2021, 9:00am

Hi,

I want to create grok match and have the 2 first words and the last part of the message.
For example:
ERROR;AuthenticationController ;processMessage ;THR=11107194 R=760a52d97983874 T=6031a0711ec3 U=Unauthenticated I=78.21.19.214 A=- C=0001 O=- V=-;Code[TXT-CD,LAA001] transformation to input contract failed

I have this filter
(?((?:.(?!;))+$))

Result:
"exceptionHeader": [
[
";Code[TXT-CD,LAA001] transformation to input contract failed"
]
Any idea how I can add "ERROR;AuthenticationController" to "exceptionHeader"?
thx

Cad · July 29, 2021, 10:28am

Hi,

I don't know if it's possible to put all the values you want directly in a unique field. So i put values in multiple field and put them together in a new field with add_field option.
After that, i remove duplicate data with remove_field.

filter {
  grok {
    match => {
      "message" => "^%{DATA:part1};%{DATA:part2};%{GREEDYDATA};%{DATA:part3}$"
    }
    add_field => { "content" => "%{part1};%{part2};%{part3}"}
    remove_field => [ "part1", "part2", "part3" ]
  }
}

Cad.

Soren_vdc · July 29, 2021, 11:11am

thanks for the info Cad, it works !

Topic		Replies	Views
Create new field from existing message match grok filter Logstash	2	363	February 21, 2020
Multiple grok parsing not extracting all the fields Logstash	5	1346	February 4, 2020
GROK Multiple Match - Logstash Logstash	4	27194	July 6, 2017
Using field name other than "message" in grok match Elasticsearch	6	595	December 23, 2020
Multiple grok matching fileds Logstash	3	2208	July 15, 2015

Grok match regex

Related topics