How to grok something out of the middle of a line?

If I have a line like:

the quick brown fox

How can I grok "brown" out of that line?

(?<color>(brown)) Does not work.

If I do something like (?<color>.*(brown)), the color field ends up with "the quick brown".

My specific use case is getting the timestamp from the GitLab production.log file. It is not at the beginning of the line.

I've been testing with Grok Constructor but I just haven't figured it out. And at this time of day, I'm not going to get any farther. So any help will be appreciated. :slight_smile:

(?<color>(brown)) Does not work.

Works fine for me:

$ cat test.config
input { stdin {} }
output { stdout { codec => rubydebug } }
filter {
  grok {
    match => ["message", "(?<color>(brown))"]
  }
}
$ echo 'the quick brown fox' | /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 2
Pipeline main started
{
       "message" => "the quick brown fox",
      "@version" => "1",
    "@timestamp" => "2016-05-26T03:43:00.830Z",
          "host" => "hallonet",
         "color" => "brown"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}

Note that the inner set of parentheses in your grok expression serve no purpose.

If I do something like (?<color>.*(brown)), the color field ends up with "the quick brown".

Yes, because .* is inside the outer parentheses that denote what's being captured into the color field. If you move .* to the outside it'll work.

Interesting. The first one does not work when tested on grok constructor. I assume that's a bug on that site, since it works with logstash itself.

.*(?<color>(brown)) does work on grok constructor.

Thanks for the help!

You can use this in Grok

\S+ \S+ %{WORD.*}