I have log messages with field data delimited by [ ] characters. The problem is that sometimes the data in the field contains those characters. How do I write the grok pattern to take the nesting level into account, excluding the outer brackets?
Example, given the field data:
[aaa[bbb]ccc[ddd[14]]]
I want to parse it such that the resulting field contains
aaa[bbb]ccc[ddd[14]]
Thanks
I would say that you would need to use some regex to get this done, the following would match everything between the first and last square brackets:
(?<YourResult>(?<=\[).*?(?=\]$))
You can change the 'YourResult' text to name the captured results
Thanks! What I forgot to mention is that there is another field following this one that I don't want to match. I want that to be matched separately. So, a better example would be:
... [aaa[bbb]ccc[ddd[14]]][name=zyz]
Your suggestion seems to be in the right direction but I think it will match too much in this case. I'm still working on it.
I would suggest having a look at this site: http://grokconstructor.appspot.com/do/construction
It will allow you to build the grok query and capture the data you need.
Tim
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.