Logstash help with pattern for grok needed

Christos_Gitsis · November 16, 2020, 11:52am

Hello, I am trying to parse some data which is in one of the two following formats:

Sample data:

Data from service service-a loaded
Data from service service-b not loaded

With the following Grok Pattern:

Data from service %{NOTSPACE:service} %{NOT:n}loaded

and custom patterns:

NOT (?:not )

I work in Kibana > Grok Debugger. It seems that my pattern matches the second line of sample data but not the first. I am trying to make it so that the "not " part is optional, and to generate a pattern which matches all my inputs. Could you help me?

Second question, is it possible to use grok to output an integer value, 0 or 1, depending on whether the data from the service is loaded or not?

Badger · November 16, 2020, 4:05pm

That is, I believe, a non-capturing field. If you want an optional field then the ? should be at the end

(not )?

Christos_Gitsis · November 16, 2020, 4:14pm

Thank you, that works. Would someone have an idea for the second question as well?

Badger · November 16, 2020, 4:20pm

The field [n] will only exist if the service is not loaded, so you could use

if [n] {
    mutate { add_field => { "someField" => 0 } }
} else {
    mutate { add_field => { "someField" => 1 } }
}
mutate { convert => { "someField" => "integer" } }

Christos_Gitsis · November 19, 2020, 1:02pm

thanks!

Topic		Replies	Views
Making a part in the grok expression optional Logstash	2	30442	July 6, 2017
GROK pattern query Logstash	3	300	May 23, 2019
Is posible to have iptional field with regex as grok optionals fields? Logstash	6	482	January 6, 2022
How to handle grok optional pattern (?:) Logstash	7	1992	June 1, 2022
Pattern matching issues in Logstash Logstash	2	291	October 13, 2021

Logstash help with pattern for grok needed

Related topics