Grok regex with or

Carlos_Fernando_Palm · November 9, 2020, 6:56pm

Hello. I am trying to get some info from a message field using regular expressions. Concretely I want to get what's after certain keywords. This is the regex:

(?<="title" :)(.+?)(?=,)|((?<="description" :)(.+?)(?=,))

Now the problem is that when I run this on the kibana grok debugger it does not return all the text, just the first match.
For example with this json:

 [{
 	"image": {
 		"url": "/path/toimages/images.jpg",
 		"alt": "Hotels"
 	},
 	"title": "Hotels",
 	"description": "The best places to stay in the city",
 	"elements": [{
 		"text": "Hotels",
 		"action": {
 			"type": "EVENT",
 			"name": "anyname",
 			"entities": {
 				"reply": "reply",
 				"option": "nameofoption",
 				"query": "thequery"
 			}
 		}
 	}]
 }]

The response of the regex is:

{
 "response": " \"Hotels\""
}

However when using regexr.com the text after title and the text after description are highlighted:

Does the regex used in grok support this kind of aggregation of text using the | operator?

Badger · November 9, 2020, 7:38pm

grok does support alternation with |, but grok only returns the first match for a pattern. If you want all the matches use a ruby filter and do a String .scan

Carlos_Fernando_Palm · November 9, 2020, 8:41pm

Thank you for the answer.
Do you know where I can find documentation on how to use a ruby filter inside logstash.conf?

Badger · November 9, 2020, 9:26pm

The ruby filter is documented here. Examples of using scan in a ruby filter can be found here and here.

Carlos_Fernando_Palm · November 10, 2020, 2:14pm

Thanks

system · December 8, 2020, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.