Grok pattern to get the whole text without considering space

Elastic Stack Logstash
1

I am trying to grok a message text with my grok pattern if i pass the sample data without space my grok pattern works fine but if there is any space in between text it fetch only the first word before space and after space it ignores.

In my case i need to get the whole text with out considering space. I have given my grok pattern and sample data below.

Sample data

"CSIC_agentId:bo peng"

Grok pattern

CSIC_agentId:%{NOTSPACE:apm_agentId.agentId}

Result

{
  "apm_agentId": {
    "agentId": "bo"
  }
}

Expected result:

{
  "apm_agentId": {
    "agentId": "bo peng"
  }
}

Could some one help me to resolve this issue.? Thanks in advance

2

It should be no surprise that NOTSPACE stops matching when it reaches a space.

If your sample data really is

"CSIC_agentId:bo peng"

then you could match the field against

'"CSIC_agentId:%{DATA:apm_agentId.agentId}"'
3

Hi @Badger

If i use the above grok pattern in my grok debugger it is working fine.

use the same in my pipeline it is not working as expected.

Pipeline

    PUT _ingest/pipeline/dissectpipeline
    {
      "description" : "split message content",
        "processors" : [
          {
            "grok" : {
              "field" : "message",
              "patterns" : [
                "CSIC_agentId:%{DATA:apm_agentId.agentId}"
              ]
            }
          }
        ]
    }

pipeline simulation

It returns empty

    POST /_ingest/pipeline/dissectpipeline/_simulate
    {
      "docs": [
        {
          "_index": "index",
          "_id": "id",
          "_source": {
            "message": "CSIC_agentId:agent003"
          }
        },
        {
          "_index": "index",
          "_id": "id",
          "_source": {
            "message": "CSIC_agentId:agent004"
          }
        }
      ]
    }

I want you to look into this it's seems to be strange working in grok debugger not in pipeline.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.