Grok Parse Help

Jim_Thunder · September 10, 2020, 6:58pm

I am trying to pull one piece of information out of a field using grok. I've tried a couple different way and nothing seems to work. Nothing crashes at all, it's just that I don't see the new field that I am expecting to see.

This is an example field that I am trying to extract from:

And here is my most recent code:

grok { match => ["RCDTEXT", "sender_client_id\":\"(?<Client_ID>[0-9A-F]{7})"] }

Note: I'm escaping the double quotes in the center, surrounding the colon.

Essentially, I need a new field called Client_ID that contains a "word" that is always 3 letters followed by 4 numbers.

Badger · September 10, 2020, 7:13pm

Should that be [0-9A-Z] ?

Jim_Thunder · September 10, 2020, 8:36pm

Yes it should be. Ha, thanks. I changed it but that didn't change the issue. I still don't see the field I need.

Jim_Thunder · September 11, 2020, 1:38pm

Need to get rid of the escape slashes and replace the outer quotes with single quotes.

Like this:
grok { match => ["RCDTEXT", 'sender_client_id":"(?<Client_ID>[0-9A-Z]{7})'] }

system · October 9, 2020, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.