Logstash help with pattern for grok needed

Christos_Gitsis · November 16, 2020, 11:52am

Hello, I am trying to parse some data which is in one of the two following formats:

Sample data:

Data from service service-a loaded
Data from service service-b not loaded

With the following Grok Pattern:

Data from service %{NOTSPACE:service} %{NOT:n}loaded

and custom patterns:

NOT (?:not )

I work in Kibana > Grok Debugger. It seems that my pattern matches the second line of sample data but not the first. I am trying to make it so that the "not " part is optional, and to generate a pattern which matches all my inputs. Could you help me?

Second question, is it possible to use grok to output an integer value, 0 or 1, depending on whether the data from the service is loaded or not?

Badger · November 16, 2020, 4:05pm

That is, I believe, a non-capturing field. If you want an optional field then the ? should be at the end

(not )?

Christos_Gitsis · November 16, 2020, 4:14pm

Thank you, that works. Would someone have an idea for the second question as well?

Badger · November 16, 2020, 4:20pm

The field [n] will only exist if the service is not loaded, so you could use

if [n] {
    mutate { add_field => { "someField" => 0 } }
} else {
    mutate { add_field => { "someField" => 1 } }
}
mutate { convert => { "someField" => "integer" } }

Christos_Gitsis · November 19, 2020, 1:02pm

thanks!

system · December 17, 2020, 1:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is posible to have iptional field with regex as grok optionals fields? Logstash	6	422	January 6, 2022
How to handle grok optional pattern (?:) Logstash	7	1160	June 1, 2022
Null and nil Logstash	1	689	January 10, 2021
Grok Pattern not working Logstash	6	581	February 8, 2022
Making a part in the grok expression optional Logstash	2	28935	July 6, 2017

Logstash help with pattern for grok needed

Related topics