Hello,
I am a Grok newbie , this is my first post i need to know how to grok hex values into a grok pattern for the purpose of creating a logstash pipeline.I have googled for a while but found nothing helpful
this is a typical sample of the data i need to grok
4167b8f8 RADAR_PASW42_LSSW_J0570001|23fe|b72afd25|10f
Any help would be greatly appreciated
Can you give more context about what you want to do?
What is your expected output?
What fields do you want to extract from this message:
4167b8f8 RADAR_PASW42_LSSW_J0570001|23fe|b72afd25|10f
Also, if your data always look like the one you shared, you do not even need grok to parse it, there are other filters like dissect, csv and kv, that can be combined to parse a message more easily than grok.
4167b8f8 RADAR_PASW42_LSSW_J0570001|23fe|b72afd25|10f
| | | | |
| | | | +-> Unique number in hex
| | | +--------> Directory Identifier
| | +---------------> File Size in hex
| +-------------------------------> File Name
+---------------------------------------------------> Unix Time in hex
Hope this explains it better
You want something like this?
Unix Time in hex = 4167b8f8
File name = RADAR_PASW42_LSSW_J0570001
File Size in hex = 23fe
Directory Identifier = b72afd25
Unique number in hex = 10f
If so, you can easily use the dissect filter plugin to parse this message.
Something like this:
filter {
dissect {
mapping => {
"message" => "%{time_in_hex} %{file_name}|%{size_in_hex}|%{directory_id}|%{unique_number}"
}
}
}
You can also use grok, but everything will need to use the DATA pattern.
filter {
grok {
match => {
"message" => "%{DATA:time_in_hex}%{SPACE}%{DATA:file_name}|%{DATA:size_in_hex}|%{DATA:directory_id}|%{DATA:unique_number}"
}
}
}
There's nothing native to convert hex to decimal. You might be able to do it via Script processor | Elasticsearch Guide [8.4] | Elastic, but it'd probably be a funky script.
HI Leandrojmp many thanks for all your help very useful, on the other sample data i managed to work with it ...however how do i grok for this other sample data , i have made some progress but note quite what want
6310fc62 Example-pre 0 0 a|20220901183445_solar_radio07274b0_refl-opt_metdb.h5||6b613|0.01|0|54270446|6310fc62_53bd_0
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.