How to handle grok optional pattern (?:)

Elastic Stack Logstash
1

Hi everyone I'm new to Elastick Stack, I set grok custom pattern using RegEx:
MODULE_NAME (?:((?<=[\[])\/\S[^\]]+))
the problem is it's optional pattern so I want the "module_name" field to be empty instead of showing "_grokparsefailure" tag
logstash filter:

grok{
    patterns_dir => ["./patterns"]
    match => {
        "message" => '%{DATETIMECATALINACUSTOMFR:logtimestamp}%{SPACE}%{JAVACLASS:javaclass}%{SPACE}%{WORD:method}%{NEWLINE}%{GREEDYDATA:exception}'
        }
}
if[exception]{
    grok{
        patterns_dir => ["./patterns"]
        match => {
            "exception" => '%{MODULE_NAME:module_name}'
        }
    }
}
2

Hi

Optional pattern is not ?: look "?:" meaning in grok · Issue #42 · GitHub for more informations.
To make a field optional you have to do ()?

So in your case it is MODULE_NAME ((?<=[\[])\/\S[^\]]+)?

Cad.

1 Like
3

thanks Cad for your replay, I already tested that pattern with grok debugger and ruby before asking
the problem in this case (pattern)? is module_name field alwayse return empty ""
in two cases, when [/whatever] exist and not

4

What is the look of the data you want to get ? can you share us example ?
Because when you share us the value [/watever] i understand that only watever can change. Is that true ?

Cad.

5

I mean [/watever] may or not exist in log files
so I want to store "whatever" or "/whatever " in new field
if it's exists in log files

6

Then something like this should work :

([\[\/](?<content>[^\]]*)[\]])?

It gonna store the value in content field.

Cad.

1 Like
7

The problem is not the pattern
The problem is when I put it between ()? it always return empty string ""

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.