Hi guys please verify whether this is the proper way to use grok ?
If "i am happy: true" in [message] {
grok { match => "message" , "%{GREEDYDATA:myfield"}
}
My intension is to create a new field based on spesific string to be selected in message for visualization later.
Any help is really really appreciated as im still new with this elk! Thanks guys
The syntax is wrong, it should be
grok { match => { "message" => "%{GREEDYDATA:myfield}" } }
That said, if you match a field against GREEDYDATA all you are doing is creating a copy of the field, which would be better done using a mutate filter.
Hi badger,
Thanks for your response.
For my case i really need to check the message content like if i am so happy: true then create one field for that like myfield or if i am so happy: false then create another field for that..is it possible to check and verify the content inside the [message] to do that ?
You could use grok to pull out true/false using
grok { match => { "message" => "^i am so happy: %{WORD:happyOrNot}" } }
which will get you
"happyOrNot" => "true",
Note that that is a string, not a boolean.
Ok note that but is there any logic that i can use like when this string is in [message] then create this field ?
Example ia like
If "i am so happy: true" in [message] {
mutate { addfield , "myfield"=> %[message]}
}
Can i use this way ?
You could do that but the syntax is
mutate { add_field => { "myfield" => "%{[message]}" } }
Thanks a lot for the correctioned given!! Really appreciated! I will try to implement in such way and will update here later
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.