Hi!!!
How to parse this field? Transport: PTU.13-3034-3345-70; Is it GREEDYDATA?
Which information do you want to get ?
GEEDYDATA is just to get any informations.
For example if you want
%{GREEDYDATA:firstInfo}: %{GREEDYDATA:secondInfo}\.%{GREEDYDATA:thirthInfo};
Will give you :
{
"firstInfo": [
[
"Transport"
]
],
"secondInfo": [
[
"PTU"
]
],
"thirthInfo": [
[
"13-3034-3345-70"
]
]
}
For me it's the easiest to use. If you use another it's because you want to get an information to match with a specific regex that already exist.
@Junior_Burleon
All I want is to get field in my documents
"Transport-id" : "PTU.13-3034-3345-70"
my logs looks like this Product: starter pack; Transport: PTU.13-3034-3345-70; User ip: 207.96.147.90; user_id: 697971; name: 'Herco Diambala';
I use:
grok {
match => [ "message", "Transport: %{Syntax :transport-id};" ]
tag_on_failure => []
}
but don't know what to use instead syntax?
I think that you can't use " - " in the name.
One solution is :
grok {
match => [ "message", "Transport: %{GREEDYDATA:Transport_id}; User" ]
tag_on_failure => []
}
But I don't know if it's the best way.
I put "; User" at the end of syntaxe, else it will match with the last ";"
%{GREEDYDATA:firstInfo}: %{GREEDYDATA:secondInfo}\.%{GREEDYDATA:thirthInfo};
Be very careful about using multiple GREEDYDATA and/or DATA patterns. I've seen a number of cases where people have done this and got really weird results.
In this particular case I'd look into using the kv filter.