Not able to make a fileld conditional in grok

George_Cherian · November 27, 2017, 3:11pm

The grok filter what is written is as follows:
grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})?" }
}
For the below text it is not showing the output:
"correlationid:" => "1000 | callhalf-1388133:0 | 3886c145-b301-4914-b4a4-dab2d5614aca"

But when I try the above filter without ? its working , when I tried after removiing the ?
grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})" }
}

"correlationid:" => "1000 | callhalf-1388133:0 | 3886c145-b301-4914-b4a4-dab2d5614aca",
           "CID" => "3886c145-b301-4914-b4a4-dab2d5614aca"

Could anyone help me out?

magnusbaeck · November 27, 2017, 8:59pm

Please make sure to format your configuration snippets as preformatted text (e.g. using the </> toolbar button) so we can see exactly what configuration you have.

George_Cherian · November 28, 2017, 5:13am

Hi Magnus,
Please find the below formatted text

grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})?" }
}

For the below text it is not showing the output:
"correlationid:" => "1000 | callhalf-1388133:0 | 3886c145-b301-4914-b4a4-dab2d5614aca"
But when I try the above filter without ? its working

grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})" }
}

magnusbaeck · November 28, 2017, 6:24am

I'm still confused. What's the point of the question mark at the opening of the parenthesis? And what's the overall point of the grok filter since you're not capturing any fields from it?

George_Cherian · November 28, 2017, 6:44am

Sorry Magnus,
Really sorry for the mistake made:

grok {
                     match => { "correlationid:" => "(?<CID>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})?" }

This is not getting matched for the below line
Input
"correlationid:" => "1000 | callhalf-1388133:0 | 3886c145-b301-4914-b4a4-dab2d5614aca"

I am using ? because this(CID) field is optional in my log.

But, when I Try the above grok filter without ? as shown below it is fetching the field

 grok {
                         match => { "correlationid:" => "(?<CID>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})" }

Output:
"CID" => "3886c145-b301-4914-b4a4-dab2d5614aca"

I wanted to clarify if there is any mistake in the syntax or format I am applying (?) the conditional operator.

Thanks
George

magnusbaeck · November 28, 2017, 8:42am

It seems the regexp engine chooses the simplest possible solution in this case, which is no match. Appending $ to the end of the expression fixes this problem. I'm not sure why.

George_Cherian · November 28, 2017, 9:08am

Thanks Magnus ...It worked

system · December 26, 2017, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.