Grok with multiple square brackerts

hello,

I had a log with multiple square brackets like below:
[info 2018/04/11 23:59:59.999999 ABC ABCDEX:99999 123456789876543] IO error[000] installed ... ... ...[ABCDEX:90909]: ...::... failed with errno: 000: ... ...

I try to use grok debugger and the result isn't as my wish. Here is my config:
[%{GREEDYDATA:data_temp}] %{GREEDYDATA:detail}

And result:
{
"data_temp": [
[
"info 2018/04/11 23:59:59.999999 ABC ABCDEX:99999 123456789876543] IO error[000"
]
],
"detail": [
[
"installed ... ... ...[ABCDEX:90909]: ...::... failed with errno: 000: ... ..."
]
]
}

But I want to get the result like below:
{
"data_temp": [
[
"info 2018/04/11 23:59:59.999999 ABC ABCDEX:99999 123456789876543"
]
],
"detail": [
[
"IO error[000] installed ... ... ...[ABCDEX:90909]: ...::... failed with errno: 000: ... ..."
]
]
}

Can someone tell me where going wrong?
Thanks.

Regards,
zxc654951

DATA should work better than GREEDYDATA, but even better is to use neither. Use (?<name-of-field>[^\]]*) to match and capture zero or more characters or any kind except ]. That's more efficient.

It works. Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.