Grok patterns : creating new field

Sylfaen · April 25, 2017, 1:52pm

Hello !

I was wondering if it is possible to embed the content of a field to a new "structured field" ?

For example, from a JDBC entry, I've got a column named message which contains informations with the following format:
CONFIRM;userId:58428;status:DONE;...

With a grok match, I succeeded to split the message column into several new document fields :

"_index": "demo",
"_type": "demologs",
"_id": "AVulVdwqUVyhaHL536Vw",
"_score": 1,
"_source": {
"date": "2015-09-27T12:21:58.000Z",
"amount": "58.2",
"type": "CONFIRM",
"userId": "58428",
"status": "DONE",
} ...

Date/Amount come from other column of the table.
But is it possible to create a field that encapsulate all message informations without manually use the add_field feature ?

"_index": "demo",
"_type": "demologs",
"_id": "AVulVdwqUVyhaHL536Vw",
"_score": 1,
"_source": {
"date": "2015-09-27T12:21:58.000Z",
"amount": "58.2",
"message" : {
"type": "CONFIRM",
"userId": "58428",
"status": "DONE",
},
} ...

Thanks!

magnusbaeck · April 25, 2017, 2:01pm

In your grok expression, use (for example) [message][type] instead of type.

Sylfaen · April 25, 2017, 2:05pm

Hey,

Thanks for your quick answer!

What you mean is to specify the type above the match expression ?
My grok expression looks like this :

grok {
match => { "message" => "^%{DATA:type}?;userId:%{DATA:userId}?;status:%{WORD:status}?" }
}

Thanks again!

magnusbaeck · April 25, 2017, 2:06pm

I mean: In your grok expression, replace type with [message][type].

Sylfaen · April 25, 2017, 2:58pm

I replace [message] with a new field's name and it's working very well.

Thanks Magnus

system · May 23, 2017, 3:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.