How to Grok a pattern into multiple field names

kmiklas · September 26, 2019, 6:58pm

How can I grok a matched pattern into multiple field names?

Is it possible to parse and assign a matched pattern twice with Grok?

Minimal, Complete, Verifiable Example

Take this log line:

09/26/2019 Keith Miklas

Apply this grok filter:

%{DATE:date}\s*%{WORD:first_name}\s*%{WORD:last_name}

This yields:

{
  "date": [
    [
      "09/26/2019"
    ]
  ],
  "first_name": [
    [
      "Keith"
    ]
  ],
  "last_name": [
    [
      "Miklas"
    ]
  ]
}

What I need is a grok filter something like this:

%{DATE:date}\s*%{WORD:first_name,fn}\s*%{WORD:last_name,ln}
%{DATE:date}\s*%{WORD:first_name&fn}\s*%{WORD:last_name&ln}
%{DATE:date}\s*%{WORD:first_name|fn}\s*%{WORD:last_name|ln}

Yielding this:

{
  "date": [
    [
      "09/26/2019"
    ]
  ],
  "first_name": [
    [
      "Keith"
    ]
  ],
  "fn": [
    [
      "Keith"
    ]
  ],
  "last_name": [
    [
      "Miklas"
    ]
  ],
  "ln": [
    [
      "Miklas"
    ]
  ]
}

Christian_Dahlqvist · September 27, 2019, 6:15am

You can not do that as far as I know, but you could copy the fields separately afterwards.

kmiklas · September 30, 2019, 5:44pm

system · October 28, 2019, 5:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Filter - alternative patterns for same field? Logstash	3	1506	July 24, 2020
Grok performance Logstash	5	1307	January 18, 2018
GROK Multiple Match - Logstash Logstash	4	27103	July 6, 2017
Grok pattern to parse to multiple values Logstash	6	1605	February 26, 2021
How can i parse one field further into different fields in another grok pattern? Logstash	3	1803	July 6, 2017

How to Grok a pattern into multiple field names

Related topics