GROK pattern query

MiddlewareTeam · April 18, 2019, 12:50pm

I have log as below:

nbresp:500 ~ nbresp1:406 ~ nbresp2: ~ nbresp3:409

I am using GROK pattern as below

%{WORD}:%{WORD:nbresp} ~ %{WORD}:%{WORD:nbresp1} ~ %{WORD}:%{WORD:nbresp2} ~ %{WORD}:%{WORD:nbresp3} ~

which is working exactly fine till nbresp1 but giving grok pattern failure while nbresp2 as there is no value for it. The value of this field varies and sometime it may not give any output like above which becomes blank, I have to provide structural data to ES but as it is failing I can not parse data properly. Can someone please help me how to set grok pattern in this case?

Badger · April 18, 2019, 1:47pm

You can surround a field with ( and )? to make it optional. For example

input { generator { count => 1 message => 'nbresp:500 ~ nbresp1:406 ~ nbresp2:400 ~ nbresp3:409' } }
input { generator { count => 1 message => 'nbresp:500 ~ nbresp1:406 ~ nbresp2: ~ nbresp3:409' } }

filter {
    grok { match => { "message" => "%{WORD}:%{WORD:nbresp} ~ %{WORD}:%{WORD:nbresp1} ~ %{WORD}:(%{WORD:nbresp2})? ~ %{WORD}:%{WORD:nbresp3}" } }
}

MiddlewareTeam · April 25, 2019, 9:40am

Thanks Badger,

This worked as expected. Thanks again for your help!

system · May 23, 2019, 9:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.