How to grok pattern match middle of a string?

mohsin106 · June 23, 2021, 12:47am

I have a string that looks like this:

SITE;500400;PEER FLOW (AS 3535);;100G;MR;PP:10.02.01.91 97,98;

I just want to extract "FLOW" into a field named peer.

I tried doing this:

(?<peer>\w+\D\d+\D\w+\s(\w+))

But that gives me:

{"peer": "SITE;500400;PEER FLOW"}

Is it also possible to extract "10.02.01.91" and join it with "FLOW" so that "FLOW 10.02.01.91" can be assigned to peer?

mohsin106 · June 23, 2021, 1:11am

I think I figured out the first part. The following gives me "FLOW" assigned to a field named peer:

%{WORD:sitename}\D(?<number>\d+)\D\w+\s(?<peer>\w+)

Output:

{
  "sitename": "SITE",
  "number": "500400",
  "peer": "FLOW"
}

Cad · June 25, 2021, 4:51pm

Hi,

Multiple possibilities, two example here:

This one is a pattern for the whole line
%{DATA};%{DATA};%{WORD}\s%{WORD:peer}%{DATA};%{DATA};%{DATA};%{DATA};%{DATA}%{IP:ip}%{DATA};
This one is a patter just for the informations you want
%{DATA};%{DATA};%{WORD}\s%{WORD:peer}.*%{IP:ip}

Cad.

system · July 23, 2021, 4:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok regex pattern for symbols? Logstash	6	753	November 10, 2021
Grok filter problem Logstash	3	890	July 6, 2017
Split grok pattern Logstash	3	2824	July 6, 2017
I'm just confused in using grok Logstash	10	473	June 21, 2018
How to extract things from beginning and end of a long single line log not parsing or extracting the thing in the middle of log Logstash	5	2700	July 19, 2018