Need to limit number of characters to be read using grok

Question: how can I make grok read only the first 18 characters from this string "nameOfItem=Oranges of California and Florida". With the way I have, I am getting the last 18 cut off.
Please help.

grok pattern used:

%{LOGLEVEL:loglevel}|%{DATA:rawtimestamp}|%{NUMBER:response}|[%{DATA:maindata}]](%{DATA:className}@%{DATA:thread_prefix}:\s*(?>')%{NUMBER:tno}(?>')\s*%{DATA:thread_postfix})\s*{%{DATA:main_message}.{18}}

Log line to be read:

[DEBUG|20180908 092350 344|22432631|[xxxx:22:xx1234:A1E8Bxxxxxxxxxxxx:N::S]](RequestManager@ExecuteThread: '999' for queue: 'weblogic.kernel.Default') {nameOfItem=Oranges of California and Florida}

Why do you end your expression with .{18}? That will always eat 18 characters of input from the end of the input string.

Also, I strongly suggest you replace the repeated use of DATA with more exact subexpressions. Fewer surprises and better performance.

1. My requirement is to capture only x number of characters from the field, irrespective of how many characters there are. Some records have more than 50K chars in that field. This is leading to grok timeouts and performance issues. The .18 was a trial and error to try and figure out how I can strip out characters after a certain length.
   Please let me know how I can read / parse only a fixed set of characters.
2. I am working on getting rid of using DATA in grok. Work in progress.
3. Is dissect better than grok for my needs

If you want to limit how much is captured into the main_message field you can do this: (?<main_message>.{0,18})

Is dissect better than grok for my needs

I don't think dissect supports limiting how much is captured.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.