Grok - Positive Lookbehind

paolo1 · October 6, 2017, 12:32pm

Hi,

Does grok match support 'positive lookbehind'? I'm take everything after 'Details=' in the following json example:

{
"Field":"Details=xyz"
}

match => ["Field", "(?< Field2 >(?<=Details=).*)"]

I am getting grok failures even though the construction in the match is sound..

paz · October 9, 2017, 1:21pm

Grok does indeed support lookaheads/lookbehinds as regex expression. The reason you're probably getting grokfailures is those spaces inside the capture group name. Try this instead

grok {
    match => {
        "Field" => "(?<Field2>(?<=Details=).*)"
    }
}

system · November 6, 2017, 1:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is positive lookbehind supported in Logstash at all? Logstash	5	1172	April 14, 2021
Logstash grok not working Logstash	2	269	April 21, 2018
Negative look behind not working Logstash	1	778	December 26, 2016
Logstash (elastic stack 5.6) grok regex Logstash	4	592	December 27, 2017
Regular expression problem Logstash	12	2463	July 6, 2017

Grok - Positive Lookbehind

Related topics