How to Grok a pattern into multiple field names

kmiklas · September 26, 2019, 6:58pm

How can I grok a matched pattern into multiple field names?

Is it possible to parse and assign a matched pattern twice with Grok?

Minimal, Complete, Verifiable Example

Take this log line:

09/26/2019 Keith Miklas

Apply this grok filter:

%{DATE:date}\s*%{WORD:first_name}\s*%{WORD:last_name}

This yields:

{
  "date": [
    [
      "09/26/2019"
    ]
  ],
  "first_name": [
    [
      "Keith"
    ]
  ],
  "last_name": [
    [
      "Miklas"
    ]
  ]
}

What I need is a grok filter something like this:

%{DATE:date}\s*%{WORD:first_name,fn}\s*%{WORD:last_name,ln}
%{DATE:date}\s*%{WORD:first_name&fn}\s*%{WORD:last_name&ln}
%{DATE:date}\s*%{WORD:first_name|fn}\s*%{WORD:last_name|ln}

Yielding this:

{
  "date": [
    [
      "09/26/2019"
    ]
  ],
  "first_name": [
    [
      "Keith"
    ]
  ],
  "fn": [
    [
      "Keith"
    ]
  ],
  "last_name": [
    [
      "Miklas"
    ]
  ],
  "ln": [
    [
      "Miklas"
    ]
  ]
}

Christian_Dahlqvist · September 27, 2019, 6:15am

You can not do that as far as I know, but you could copy the fields separately afterwards.

kmiklas · September 30, 2019, 5:44pm

system · October 28, 2019, 5:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.