Grok working, but how do I put it in a pattern?

(Sjaak) #1


Stupid question but how can I create a custom pattern and call on it? I've used the grok debugger to make sure everything gets parsed correctly but I'm not sure how to go from there.

Log data (events come in per line, I want grok to apply all patterns to each line until it finds a matching one (I will drop the ones that fail).

EbNo Value :  06.1dB
STATE: Tracking
TEMP = 150.1 deg F

My grok pattern

EbNo Value :  (?<Eb>[\d.\d]{4})(?<remove_db>[\w]{2})
STATE: %{WORD:state}
TEMP = (?<temp>[\d.\d]{3,5}) (?<remove_deg>[\w ]{5})

Reading the docs its not clear how to proceed. Should I put something like this in my pattern?

EB_VALUE EbNo Value :  (?<Eb>[\d.\d]{4})(?<remove_db>[\w]{2})

and then put something like this in the filter if I want to create a field called eb?

patterns_dir => ["./patterns"]
    match => { "message" => "%{EB_VALUE:eb}"

Also, if I want grok to try each pattern on a log line until it finds a matching one, should I put in an array of all the patterns I have?

(Sjaak) #2

Does not lead to the desired output. Where am I going wrong?

(Sjaak) #3

Okay I got it working by simply matching EbNo Value : (?[\d.\d]{4})(?<remove_db>[\w]{2}) directly from the filter without using a pattern file.

Doesn't look pretty but it work.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.