Lets say I have a string:
"petBreed":"dachshund" "petName":"rufus" "petAge":"12"
The value is not constant and can vary in length and content.
And i want to use grok overwrite to remove rufus from the raw string.
So a lookbehind and lookahead regex pattern that matches based on a match to petName, then removes the string after it thru grok overwrite
When using a grok pattern you have to match the whole string in some way shape or form. However, if you don't care about the value of petName then don't assign a field name to that pattern.
"petBreed":"%{NOTSPACE:petBreedFieldValue}" "petName":"%{NOTSPACE}" "petAge":%{NOTSPACE:petAgeFieldValue}
{
"petBreedFieldValue": [
[
"dachshund"
]
],
"NOTSPACE": [
[
"rufus"
]
],
"petAgeFieldValue": [
[
""12""
]
]
}
You could also skip that field entirely:
"petBreed":"%{NOTSPACE:petBreedFieldValue}" %{DATA} "petAge":"%{NOTSPACE:petAgeFieldValue}"
If your message/string has this format:
"petBreed":"dachshund" "petName":"rufus" "petAge":"12"
You do not need grok to parse it, you can use the kv filter.
No, you do not. grok is quite happy to match a pattern in the middle of a string. If [message] contains
"petBreed":"dachshund" "petName":"rufus" "petAge":"12"
then
grok { match => { "message" => 'Name":"%{WORD:name' }
will work just fine.
Sorry for the confusion (if any); i modified the qn to add the fact that petName value can vary, but must be removed
I stand corrected.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.