Match multiple 4 digit numbers in field

Elastic Stack Logstash
#1

I need to match only 4 digit number from field "created:". If there are multiple 4 digit numbers I need to take the biggest and save it back to the field. The problem is that the field can contain strings, dashes, dots, brackets etc. Example:

"created:" "6.2016" -----> leave only 2016
"created:" "c2014" -----> leave only 2014
"created:" "[2010?]" -----> leave only 2010
"created:" "2000, c1994" -----> leave only the biggest one 2000
"created:" "2006 [i.e. 2007]" -----> leave only the biggest one 2007

Can use grok for this something like (?<queue_id>[0-9]{4}).... or conditions in filter if [created] =...

How can I accomplish this?

#2

grok will not match the same pattern repeatedly. I use the .scan function of a ruby string to do this You could try

    ruby {
        code => '
            created = event.get("created")
            if created
                matches = created.scan(/\d{4}/)
                # matches will be an array like ["2010"] or ["2000", "1994"]
                # Convert the array to integers
                matches = matches.map(&:to_i)
                event.set("mostRecentYear", matches.max)
            end
        '
    }

That assumes your field name is [created], not [created:]. You can overwrite [created] instead of adding a new field by changing the event.set line.

If you want to restrict the matches to strictly four digit numbers, and not match part of 123456 change the regexp to /\D\d{4}\D/

Grok matching multi-lines saving first and last value to separate fields
#3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.