Need help with grok

roman-tasi · March 19, 2024, 4:01am

I need to perform a grok on the directory field with example value:
C:\Users\takuya\Desktop\_Summary presentation\references

Where the Desktop value is pulled out and saved as a new field containing the Desktop value.

Rios · March 19, 2024, 9:29am

Do you always need a value on 3rd position? What would be the field named?
You can use split instead grok.

Rios · March 19, 2024, 10:27am

input {
  generator { "message" => 'C:\Users\takuya\Desktop\_Summary presentation\references'
	   count => 1 }
 
} 

filter {
	 #dissect { mapping => { "message" => "%{disk}\%{dir1}\%{dir2}\%{_dir3}\%{dir4}\%{dir5}" } }
	 dissect { mapping => { "message" => "%{}\%{}\%{}\%{dir3}\%{}\%{}" } }

    grok { 
      #match => { "message" => "%{WORD:gdisk}\:\\%{DATA:gdir1}\\%{DATA:gdir2}\\%{DATA:gdir3}\\%{DATA:_gdir4}\\%{GREEDYDATA:gdir5}" }
      match => { "message" => "%{WORD}\:\\%{DATA}\\%{DATA}\\%{DATA:gdir3}\\%{DATA}\\%{GREEDYDATA}" }
    }
	
 	mutate { copy => { "message" => "[@metadata][path]"} }
 	mutate { gsub => [ "[@metadata][path]", "[\\]", '/' ] }

    mutate {  split  => { "[@metadata][path]" => "/" }
    add_field => { "dirname" => "%{[@metadata][path][3]}"}
    }
 
}

output {
    stdout {codec => rubydebug }
}

Result:

{
       "message" => "C:\\Users\\takuya\\Desktop\\_Summary presentation\\references",
         "gdir3" => "Desktop",
          "dir3" => "Desktop",
       "dirname" => "Desktop"
}

system · April 16, 2024, 10:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help on Grok Filter? Logstash	3	346	July 23, 2019
Parsing an existing field further Logstash	6	389	September 10, 2021
Extracting particular folder from the path and adding that to a field Logstash	7	1150	August 31, 2018
Grok Parse Help Logstash	4	253	October 9, 2020
Logstash extract first 3 chars of a field into another field Logstash	3	664	July 6, 2017

Need help with grok

Related topics