Hybrid Grok and Dissect Parsing

Nico_Pampaloni · October 29, 2021, 4:32pm

Hi Everyone! I have a question about using Dissect and Grok together when working with a format that has varying structure. A line in my log file might look like this:

word,word.word.word.word|timestamp|number,number,name|timestamp

However the number of names in a line can change so it may also look like:

For log files with the same structure but only single names in them, I am using Dissect to parse the different fields and it's working great. For this specific log with a varying number of names in it, I can't seem to find a way to use Dissect and Grok together to make this work.

Any suggestions would be greatly appreciated.
Thanks!

Badger · October 29, 2021, 5:33pm

Use dissect to parse the fixed prefix and grok with an array of patterns for the variable part. An example is here.

Nico_Pampaloni · November 1, 2021, 11:25am

Thanks for the response!! That's super helpful. My only issue now is how to get Grok to deal with a varying number of name fields.

system · November 29, 2021, 11:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can dissect use a variable number of fields? Logstash	11	1350	October 24, 2019
Logstash dissect and grok pattern matching issue Logstash	7	473	May 20, 2021
Logstash Dissect Filter - Multiple Delimiters? Logstash	1	799	December 4, 2018
Grok + Dissect - how to work properly? Logstash	4	726	May 4, 2020
Newbie Issue with multiple dissects Logstash	3	291	March 20, 2019

Hybrid Grok and Dissect Parsing

Related topics