How to use grok if some pattern is not want to match?

RameshNagargoje · April 19, 2018, 9:53am

I have one input field in which contain boardName and I don’t want to match regex as ".*tester.*" . How we can write grok filter to do not match boardname which contain "tester" name.

input json is
first input
{
boardname : "sys-tester-log1",
logSnippet:" fdsffdsfdsfdsd",
location : "rack1"
}
second input
{
boardname : "tcpdump-tester-log1",
logSnippet:" fdsffdsfdsfdsd",
location : "rack1"
}

thirt input json

{
boardname : "tcpdump-client-log1",
logSnippet:" fdsffdsfdsfdsd",
location : "rack1"
}
I want grok filter to check boardName and I don’t want to dump json in ES if boardName contains tester name

Jenni · April 19, 2018, 10:35am

Assuming there is more content in the input field and the boardName is separated from the rest of the input by ';', you would match it like this:

;(?<boardName>(?(?!tester).)+);

RameshNagargoje · April 19, 2018, 10:47am

@Jenni post is edited please check.

Jenni · April 19, 2018, 10:53am

Then you don't even need grok, do you?

if([boardname] =~ /^.*tester.*$/) {
  drop{}
}

RameshNagargoje · April 19, 2018, 12:57pm

thanks @Jenni it solved my problem

system · May 17, 2018, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.