Multiple matches in same line using grok

ellje · January 10, 2019, 12:54am

Hey guys, new-ish to Elastic and was hoping to get help for the following question.

To start off, I want to use logstash to parse a log file using grok statements.
Say I have an input as follows:

'Test failed with the following exception: Waiting for items to load: [selector: .do-something does.somethingElse, selector: do.another-thing, does.anotherThing... - '

Currently, I could use the 'selector:' as the start , and ' - ' as the end of the string captured, but within that I was hoping to get multiple matches in this same line. So in the end, I would like for the captured field to obtain:

created_field_in_elastic: .do-something does.somethingElse, do.another-thing, does.anotherThing.

However, it only captures the first one. Is this where I use multiline? How do I get this?

Chris_Lyons · January 12, 2019, 12:57am

not sure what your config is but have you tried setting break_on_match => false? By default the GROK will exit as soon as a mach is made.

ellje · January 14, 2019, 5:52pm

Yep, I do have that setting in there as well in the grok block

Badger · January 14, 2019, 6:51pm

It is unclear what you want in the created field. Do you want a string with the 4 things concatenated (which you can do using grok and mutate+gsub), or an array of 2 strings, or an array of 4 strings (both of which can be done using ruby).

ellje · January 14, 2019, 10:18pm

Preferably an array of 4 strings. So I should use ruby like this? https://jenkinsci.github.io/job-dsl-plugin/#method/javaposse.jobdsl.dsl.helpers.step.StepContext.ruby

Badger · January 14, 2019, 10:35pm

Try something like

grok { match => { "message" => "selector: %{DATA:foo} - " } }
mutate {
    gsub => [
        "foo", ", selector: ", " ",
        "foo", ", ", " "
    ]
}
mutate { split => { "foo" => " " } }

system · February 11, 2019, 10:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.