GROK Pattern

Elastic Stack Logstash
1

I try to parse data from ELK to Kibana using logstash. I write some customize grok Pattern using this site https://grokdebug.herokuapp.com/ here the pattern is fine in but when i parse the data from logstash some data is parse correct some data have issue. for example

image
image1366×768 57.1 KB
here its all good but when i parse the data it shows only PN Dockyard in the result. Same if i use three different words it does not parse any help. For its working fine on PN Dockyard using this (?\b\w+\b \b\w+\b) but when i parse the data with PN Dockyard Branch result will only show PN Dockyard Branch its not showing. Any Help would be appreciated

2

121

3

this is the result in the location instead of PN Dockyard Branch it returns only PN Dockyard

4

If you run

input { generator { count => 1 lines => [ 'PN Dockyard Branch' ] } }
filter {
    grok { match => { "message" => [ "(?<Location>\b\w+\b \b\w+\b \b\w+\b)" ] } }
}
output  { stdout { codec => rubydebug { metadata => false } } }

you will get

  "Location" => "PN Dockyard Branch",

If you change the grok to

grok { match => { "message" => [ "(?<Location>\b\w+\b \b\w+\b)" ] } }

you will get

"Location" => "PN Dockyard",

What else would you expect?

5

@Badger thanks for the reply. I will check and revert you back. Actually i have 2 million of data and location is coming like PN Dockyard Branch, AIOU Branch, Main Bazar Shahi Sukkur, Tehsil and district badin branch how would i capture all these in one configuration file

6

I am using mysql server and made connectivity to the elk stack for this. So the data is parse through my sql server.

7

It would be essential to know the full string to find out what separates the location from the rest of the text.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.