How to Grok a pattern into multiple field names

kmiklas · September 26, 2019, 6:58pm

How can I grok a matched pattern into multiple field names?

Is it possible to parse and assign a matched pattern twice with Grok?

Minimal, Complete, Verifiable Example

Take this log line:

09/26/2019 Keith Miklas

Apply this grok filter:

%{DATE:date}\s*%{WORD:first_name}\s*%{WORD:last_name}

This yields:

{
  "date": [
    [
      "09/26/2019"
    ]
  ],
  "first_name": [
    [
      "Keith"
    ]
  ],
  "last_name": [
    [
      "Miklas"
    ]
  ]
}

What I need is a grok filter something like this:

%{DATE:date}\s*%{WORD:first_name,fn}\s*%{WORD:last_name,ln}
%{DATE:date}\s*%{WORD:first_name&fn}\s*%{WORD:last_name&ln}
%{DATE:date}\s*%{WORD:first_name|fn}\s*%{WORD:last_name|ln}

Yielding this:

{
  "date": [
    [
      "09/26/2019"
    ]
  ],
  "first_name": [
    [
      "Keith"
    ]
  ],
  "fn": [
    [
      "Keith"
    ]
  ],
  "last_name": [
    [
      "Miklas"
    ]
  ],
  "ln": [
    [
      "Miklas"
    ]
  ]
}

Christian_Dahlqvist · September 27, 2019, 6:15am

You can not do that as far as I know, but you could copy the fields separately afterwards.

kmiklas · September 30, 2019, 5:44pm

system · October 28, 2019, 5:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Finding same pattern multiple times in one log file Logstash	7	1918	July 6, 2017
How can i parse one field further into different fields in another grok pattern? Logstash	3	1827	July 6, 2017
Multile pattren in single Grok Filter Logstash	5	331	August 28, 2018
GROK Multiple Match - Logstash Logstash	4	27158	July 6, 2017
Pattern Matching Logstash	8	1212	April 5, 2017

How to Grok a pattern into multiple field names

Related topics