I am trying to get a grok pattern to match the following and i have it besides the fact that i had to leave a field out to get it done. this is postgresql csv pattern and i needed to splice out the duration from the query. you can see that i did this by having a duration field and then the statement field ending with a double comma ,, anyone know how to not have to do a ,, and to be able to get the duration and query statement split out? between the ,, should be a field named "detail" which would be empty in this case. right now i just don't have a detail field but would like to have it.
2020-04-07 22:32:04.673 UTC,"app_keystore","keystore",14220,"[local]",5e8cf4b2.378c,1748710,"SELECT",2020-04-07 21:46:26 UTC,5/0,0,LOG,00000,"duration: 0.148 ms statement: SELECT ""keystore_app_keyconfig"".""name"", ""keystore_app_keyconfig"".""usage"", ""keystore_app_keyconfig"".""lifetime"", ""keystore_app_keyconfig"".""band_id"", ""keystore_app_keyconfig"".""rotation_method"", ""keystore_app_keyconfig"".""seg_size"", ""keystore_app_keyconfig"".""rotation_time"", ""keystore_app_keyconfig"".""pre_create_keys"", ""keystore_app_keyconfig"".""notes"" FROM ""keystore_app_keyconfig"" WHERE ""keystore_app_keyconfig"".""name"" = 'qa_unit_tests'",,,,,,,,,"app - 10.124.193.84:33116"
(%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{TZ:time_zone})?,(%{DATA:user_name})?,(%{DATA:database_name})?,(%{NUMBER:process_id})?,("\[%{DATA:connection_from}\]")?,(%{USERNAME:session_id})?,(%{NUMBER:session_line_num})?,("%{DATA:command_tag}")?,(%{TIMESTAMP_ISO8601:timestamp2}%{SPACE}%{TZ:time_zone2})?,(%{DATA:virtual_transaction_id})?,(%{DATA:transaction_id})?,(%{DATA:error_severity})?,(%{NUMBER:sql_state_code})?,"duration:%{SPACE}%{NUMBER:duration}%{SPACE}ms%{SPACE}statement:%{SPACE}%{DATA:statement}",,(%{DATA:hint})?,(%{DATA:internal_query})?,(%{DATA:internal_query_pos})?,(%{DATA:context})?,(%{DATA:query})?,(%{DATA:query_pos})?,(%{DATA:location})?,(%{GREEDYDATA:application_name})?