KV how to extract data between square brackets

sahar · March 2, 2020, 12:48pm

Hello,
Assume I have the following message:

"Some message [key1=val1] more text [key2=some [special] value], more text."

From the above message I would like to extract key1 and key2 as follows:
key1 = val1
key2 = some [special] value

How can I achieve that? I found only 1 topic similar to this:

Tried to play around with the solution given there but it never seems to be working for the case above.

A more realistic example:
String:
Found cached [valuejson={"liveStreams":[]}] for [controller=Game] and [action=GetLiveStreams].

I want to extract:

valuejson = {"liveStreams":[]}
controller = Game
action = GetLiveStreams

Badger · March 2, 2020, 2:23pm

How do you know that it shouldn't be

key1 = val1] more text [key2=some [special] value

That's a serious question. What is a definition of the pattern that matches the RHS?

sahar · March 2, 2020, 2:31pm

Hi @Badger

If i would have to describe it in words i'd say there are 2 options to deal with what I want to achieve:

match every nearest pair of square brackets that contains = inside them (so if there's square brackets without = inside them, they will be used as a part of the value).
match fields only if there's an equal amount of square brackets: https://stackoverflow.com/questions/546433/regular-expression-to-match-balanced-parentheses

I tried to do as in that stackoverflow topic, unfortunately it seems like logstash fails to read the regexes that are suggested in the answer there, logstash doesn't even load.

Edit: here is an example from that topic that seems to work when I test it, but doesn't work in logstash itself:

sahar · March 2, 2020, 4:56pm

So after I understood that recursive regex isn't supported probably I tried a different regex with max 2 levels of nesting:
\[(?:[^\]\[]+|\[(?:[^\]\[]+|\[[^\]\[]*\])*\])*\]

It seems to work when testing:

Logstash also loads successfully, but still splits the fields in the wrong way...

What am I missing? perhaps need a different filter for this one? or even ruby code?
Thanks for the help.

sahar · March 3, 2020, 5:27pm

Anyone any ideas? ;o

@Badger can the pattern you suggested on the link I gave in the first post be modified somehow to match my needs?

Badger · March 3, 2020, 6:27pm

I do not know enough about regexps to write one that does what you want.

sahar · March 3, 2020, 6:52pm

@Badger can I perhaps use Ruby code to achieve this?
For example, I already wrote a regex to capture the groups I need here: KV how to extract data between square brackets
Can I write a ruby code to save them under a certain event, and then send this event to KV filter?

sahar · March 3, 2020, 8:14pm

For these interested, here's how I achieved it:

ruby {
	code => 'event.set("kv", event.get("tempMessage").scan(/\[(?:[^\]\[]+|\[(?:[^\]\[]+|\[[^\]\[]*\])*\])*\]/))'
}
kv {
	source => "kv"
	field_split_pattern => "(?:^\[|\]$)"
	trim_key => " "
	trim_value => " "
}

Apparently kv can also take parameter of array of strings, which makes life lot easier for my case since it treats each array value independently.

Thanks for the helpers.

system · March 31, 2020, 8:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.