Grok pattern DATA (.*?) not giving all matches from the line

laxman1 · July 18, 2018, 7:30am

Text : Beginning Master Job Beginning child1 Job Beginning child2 Job

when I used the below grok pattern temp variable is capturing only "Master" where as I need "child1" and "child2" matches also from text
grok{

           patterns_dir => ["./patterns"]
           match => {"message" => "Beginning %{DATA:temp} Job"}
          break_on_match => false
    }

I made break_on_match false also

Badger · July 18, 2018, 3:04pm

I would use a ruby filter to scan that.

    ruby {
        code => "
            s = event.get('message')
            r = s.scan(/Beginning ([^[:space:]]+) Job/)
            r = r.flatten
            event.set('jobs', r.join(','))
        "
    }

You might then want to mutate+split the jobs field.

laxman1 · July 19, 2018, 12:55pm

Thanks for the reply. It is working for this but I have multiple patterns in such way. It would be nicer if it is taken care by grok filter.

system · August 16, 2018, 12:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash 7.2 grok match filter plugin using multiple patterns Logstash	1	259	July 25, 2019
How to get all matches for a grok pattern in a multiline message Logstash	5	2807	July 6, 2017
GROK Multiple Match - Logstash Logstash	4	27096	July 6, 2017
Logstash 8.1 multiple patterns Logstash	2	160	December 22, 2023
Grok performance Logstash	5	1307	January 18, 2018

Grok pattern DATA (.*?) not giving all matches from the line

Related Topics