Grok processor - Multiple matches of the same pattern

robdiluca · October 31, 2022, 9:54am

Hi all,

I'm using the grok processor to parse the "message" field of a document in a ingest pipeline. That field can contain zero or more occurrences of UUIDs. I'm only interested in finding all the occurrences of UUIDs from that field and store them in another field, namely "event.uuid".
For example, if I have a message field:

message : "[req-614ac1ab-7e21-4a6e-8083-f958700e5b65 d416c08b8ad45fa775af824a0396e7a36e123dd3f48a2735e8cbeb188d01f616 - 624ac1ab-7e21-4a6e-8083-f958700e5b65 179006ca05f24f658b108370ff5ad17f default] some other stuff"

I'd like to have something like:

event.uuid : ["614ac1ab-7e21-4a6e-8083-f958700e5b65", "624ac1ab-7e21-4a6e-8083-f958700e5b65"]

I tried this configuration:

{
  "pipeline": {
  "description" : "parse multiple patterns",
  "processors": [
    {
      "grok": {
        "ignore_failure": true,
        "field": "message",
        "patterns": ["%{UUID:event.uuid}"]
      }
    }
  ]
}

but this result only in the first UUID, i.e:

"event" : {
            "uuid" : "614ac1ab-7e21-4a6e-8083-f958700e5b65"
}

Anyone can help me?

system · November 28, 2022, 9:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.