Grok optional pattern parsing

I have path field that can have values as /root/cncnz05msp1da15-n01_logs/a.txt OR /root/cncnz05msp1ts05_logs/a.txt OR /root/cncnz05mspmon_logs/a.txt;

I have below logstash config which is working fine for cncnz05msp1ts05_logs / cncnz05mspmon_logs but not for cncnz05msp1da15-n01_logs. How can I parse the optional field -n01. I tried using %{GREEDYDATA:server}(-...)?_log but its not working.

grok {
         break_on_match => false
         match => { "path" => "%{GREEDYDATA:root_path}/%{GREEDYDATA:server}/%{GREEDYDATA:filename}" }
         match => { "server" => "%{GREEDYDATA:server_info}\_" }
         match => { "server_info" => "^(?<NTC>...)(?<Zone>....)(?<VM_rest>.*)" }
         match => { "VM_rest" => "(?<VM>....)$" }
      }

Result that I want is:

NTC: 3 characters
Zone: 4 characters
MSP/MSP1 (dont capture)
VM: 4 characters just before _ or -

Generally I avoid supplying an option multiple times to a filter. logstash will combine them, but sometimes does so in unexpected ways. Anyways, you need to adjust the pattern that extracts server_info.

    grok {
        break_on_match => false
        match => {
            "path" => "%{GREEDYDATA:root_path}/%{GREEDYDATA:server}/%{GREEDYDATA:filename}"
            "server" => "(?<server_info>[^\-_]+)[\-_]"
            "server_info" => "^(?<NTC>...)(?<Zone>....)(?<VM_rest>.*)"
            "VM_rest" => "(?<VM>....)$"
        }
    }

Edited to add:

It is also possible that you could fix this by changing it to

"server" => "%{DATA:server_info}[\-_]"

You may not need a custom pattern, just a pattern that is not greedy.

Thanks @Badger

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.