Grok match with AND condition

rammulay · August 14, 2017, 8:35pm

I have the following log lines -
Receive event inbound record: ConsumerRecord(topic = wms, partition = 1, offset = 52479, NoTimestampType = -1, checksum = 2914947648, serialized key size = 36, serialized value size = 211, key = f8eac256-f0d5-44e5-b03a-6c2e415fd13d, value = {"event_created_time_stamp":"2017-08-14T08:57:49.456Z"})
Receive event inbound record: ConsumerRecord(topic = wms, partition = 0, offset = 52376, NoTimestampType = -1, checksum = 1545449889, serialized key size = 36, serialized value size = 211, key = f92bbc5e-1ca8-4e3f-a891-1cfc485e36f5, value = {"event_created_time_stamp":"2017-08-14T08:57:49.552Z"})
Receive event inbound record: ConsumerRecord(topic = wms, partition = 2, offset = 52024, NoTimestampType = -1, checksum = 4268967762, serialized key size = 36, serialized value size = 211, key = ec9993eb-b465-489b-aca3-a72e9b365afa, value = {"event_created_time_stamp":"2017-08-14T08:57:49.502Z"})

I want to write a grok match filter that will match lines that have -
'Receive event inbound record' AND 'partition = 0'

How do I do this using grok match? I used https://grokconstructor.appspot.com/do/match#result and it seems like 'Receive event inbound record received | partition = 0' actually works but not sure if this is the best way do do this?

magnusbaeck · August 15, 2017, 5:25am

^Receive event inbound record: .*, partition = 0,

rammulay · August 16, 2017, 12:59am

Thanks Magnus, this works too! Can you explain why this is better than the first?

I think I understand most of this...'^' (beginning of line), '.*'(any char 0 or more times). What does the ',' indicate? Is it the equivalent of the AND condition?

Is the ',' at the end of 'partition = 0' really needed?

magnusbaeck · August 16, 2017, 8:36am

Thanks Magnus, this works too! Can you explain why this is better than the first?

If you're talking about the expression Receive event inbound record received | partition = 0, that matches any string containg either "Receive event inbound record received" or "partition = 0". That's not what you're looking for.

What does the ‘,’ indicate? Is it the equivalent of the AND condition?

No, it's a literal comma.

Is the ‘,’ at the end of ‘partition = 0’ really needed?

If you don't want "... partition = 02" to match, yes.

system · September 13, 2017, 8:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.