How parse this field Transport: PTU.13-3034-3345-70;

Smasell · July 23, 2015, 10:58am

Hi!!!
How to parse this field? Transport: PTU.13-3034-3345-70; Is it GREEDYDATA?

Junior_Burleon · July 23, 2015, 11:48am

Which information do you want to get ?
GEEDYDATA is just to get any informations.
For example if you want

%{GREEDYDATA:firstInfo}: %{GREEDYDATA:secondInfo}\.%{GREEDYDATA:thirthInfo};

Will give you :

 {
  "firstInfo": [
    [
      "Transport"
    ]
  ],
  "secondInfo": [
    [
      "PTU"
    ]
  ],
  "thirthInfo": [
    [
      "13-3034-3345-70"
    ]
  ]
}

For me it's the easiest to use. If you use another it's because you want to get an information to match with a specific regex that already exist.

Smasell · July 23, 2015, 11:54am

@Junior_Burleon
All I want is to get field in my documents
"Transport-id" : "PTU.13-3034-3345-70"
my logs looks like this Product: starter pack; Transport: PTU.13-3034-3345-70; User ip: 207.96.147.90; user_id: 697971; name: 'Herco Diambala';
I use:
grok {
match => [ "message", "Transport: %{Syntax :transport-id};" ]
tag_on_failure => []
}
but don't know what to use instead syntax?

Junior_Burleon · July 23, 2015, 12:03pm

I think that you can't use " - " in the name.

One solution is :

grok {
    match => [ "message", "Transport: %{GREEDYDATA:Transport_id}; User" ]
   tag_on_failure => []
}

But I don't know if it's the best way.

I put "; User" at the end of syntaxe, else it will match with the last ";"

magnusbaeck · July 23, 2015, 12:07pm

%{GREEDYDATA:firstInfo}: %{GREEDYDATA:secondInfo}\.%{GREEDYDATA:thirthInfo};

Be very careful about using multiple GREEDYDATA and/or DATA patterns. I've seen a number of cases where people have done this and got really weird results.

In this particular case I'd look into using the kv filter.