Matching/Finding keywords in an already parsed field via GROK

WarriorHarb · March 12, 2019, 4:11pm

Hello,
So i have an unstructured log, after applying a GROK filter, i was able to parse it into seperate fields.
The problem is that the last field which is {GREEDYDATA:Message} contains some keywords like "userID", "Failure" , "Established",... i would like to detect them.
Any suggestions ?

Badger · March 12, 2019, 5:45pm

One approach would be to use

    grok {
        break_on_match => false
        match => {
            "message" => [
             "(^|\W)(?<keyword>Established)(\W|$)",
             "(^|\W)(?<keyword>Failure)(\W|$)",
             "(^|\W)(?<keyword>userID)(\W|$)"
            ]
        }
    }

That will result in keyword being a string if there is one match, or an array if there is more than one. Unless the last pattern (userID) matches, there will be a _grokparsefailure.

WarriorHarb · March 15, 2019, 9:28am

@Badger thanks for the replay, yep it worked fine

system · April 12, 2019, 9:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to determine if field contains a value? Logstash	4	7319	September 21, 2017
Regex Pattern to fetch field from message Logstash	2	299	January 17, 2023
Grok parser efficiency Logstash	5	265	July 24, 2018
If field contains question mark Logstash	4	3061	May 24, 2018
Grok Filter - alternative patterns for same field? Logstash	3	1506	July 24, 2020

Matching/Finding keywords in an already parsed field via GROK

Related topics