Hybrid Grok and Dissect Parsing

Nico_Pampaloni · October 29, 2021, 4:32pm

Hi Everyone! I have a question about using Dissect and Grok together when working with a format that has varying structure. A line in my log file might look like this:

word,word.word.word.word|timestamp|number,number,name|timestamp

However the number of names in a line can change so it may also look like:

For log files with the same structure but only single names in them, I am using Dissect to parse the different fields and it's working great. For this specific log with a varying number of names in it, I can't seem to find a way to use Dissect and Grok together to make this work.

Any suggestions would be greatly appreciated.
Thanks!

Badger · October 29, 2021, 5:33pm

Use dissect to parse the fixed prefix and grok with an array of patterns for the variable part. An example is here.

Nico_Pampaloni · November 1, 2021, 11:25am

Thanks for the response!! That's super helpful. My only issue now is how to get Grok to deal with a varying number of name fields.

system · November 29, 2021, 11:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.