I have log messages with field data delimited by [ ] characters. The problem is that sometimes the data in the field contains those characters. How do I write the grok pattern to take the nesting level into account, excluding the outer brackets?
Example, given the field data:
[aaa[bbb]ccc[ddd[14]]]
I want to parse it such that the resulting field contains
aaa[bbb]ccc[ddd[14]]
Thanks
I would say that you would need to use some regex to get this done, the following would match everything between the first and last square brackets:
(?<YourResult>(?<=\[).*?(?=\]$))
You can change the 'YourResult' text to name the captured results
Thanks! What I forgot to mention is that there is another field following this one that I don't want to match. I want that to be matched separately. So, a better example would be:
... [aaa[bbb]ccc[ddd[14]]][name=zyz]
Your suggestion seems to be in the right direction but I think it will match too much in this case. I'm still working on it.
I would suggest having a look at this site: http://grokconstructor.appspot.com/do/construction
It will allow you to build the grok query and capture the data you need.
Tim
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.