Grok regex ignore characters in named capture group

Tyngd_Punkt · August 10, 2016, 4:02pm

I have a row of data being sent to logstash. The row can contain several IP addresses. However one ip address is always prefixed with IPv4: and i want to only capture this IP address so i have created this Grok regex:

match => ["message", "(?<IPv4>IPv4:\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))"]

which works except for that the new field content looks like this: (it contains IPv4:)
IPv4: 10.10.10.1

When i want it to only contain the IP:
10.10.10.1

How can i continue to look for IPv4: to make sure i get the right IP but remove IPv4: from the capture group?

magnusbaeck · August 11, 2016, 6:28am

Just put "IPv4:\s*" outside the capture group.

IPv4:\s*(?<IPv4>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Or use the IPV4 grok pattern:

IPv4:\s*%{IPV4:IPv4}

Tyngd_Punkt · August 11, 2016, 12:10pm

Big thanks, i have learned a lot today

Topic		Replies	Views
Grok Regex - Captured and Non-Captured Groups Logstash	3	3780	July 6, 2017
Logstash grok filter with regex Logstash	1	324	December 15, 2018
Ignore a string from logstash from grok pattern Logstash	5	6570	December 24, 2019
How to parse this format of log Logstash	6	320	August 5, 2019
IPv4 and IPv6 Logstash	1	1590	July 6, 2017

Grok regex ignore characters in named capture group

Related topics