Hi, I have a log tat contains an array and normal fields, separated by a space
field1 field2 ['27', '32'] field4
my grok will be
%{DATA:field1} %{DATA:field2} ??????? %{DATA:field4}
How can I grok this variable lenght array ?
Thanks
I would do it with dissect instead of grok, if you really want to use grok then
%{NOTSPACE:field1} %{NOTSPACE:field2} \[%{NOTSPACE:field3}\] %{DATA:field4}
might work. Then use mutate+split on field3.
I was trying to follow your answer in another post, but without results, grokparse failure, can you see what is wrong with my code?
this is the log:
02/04/20 17:07:58 ['somehostgroup', 'Auto Discovery'] --somehost-- 1501869 10255 ['27', '178']
The conf
filter {
if [application] == "2uptime" {
grok {
match => {"message" => "%{DATA:fecha} %{TIME:hora} \[%{NOTSPACE:hostgroup}\] --%{DATA:hostname}-- %{NUMBER:value} %{NUMBER:hostid} \[%{NOTSPACE:hgid}\]"}
}
ruby {
code => '
a = event.get("hostgroup")
if a then
a.each_index { |i|
event.set("hgname#{i+1}", a[i])
}
end
x = event.get("hgid")
if x then
x.each_index { |z|
event.set("hgid#{z+1}", x[z])
}
end
'
}That contains spaces, so does not match NOTSPACE. Try switching it to DATA.
1 Like
Thanks Badger but now gives me:
"Ruby exception occurred: undefined method `each_index' for...the rest of hostgoups in the array"
I've tried removing the brackets surrounding the hostgroup and the hostgroupid,
\[%{DATA:hostgroup}\]
to
%{DATA:hostgroup}
thinking that maybe ruby doesnt know that is an array, but didnt work either
If you have
The [hostgroup] field is not an array, it is a string. You may be able to convert it to an array using the split function of a mutate filter (not a split filter).
The equivalent of
event.get("hostgroup").each_index
will throw a undefined method exception unless [hostgroup] is an array.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.