Optional fields

I've looked at several posts regarding optional fields in grok match filter and so far I've been unsuccessful in getting it to work using the parenthesis (with and without ? in various places, depending on what was advised).

Here are two sample data lines:

INFO : stuff2 This is the rest of the data END]]
INFO : stuff OPtime=215 This is the rest of the data END]]

Here's my basic grok filter, that works for the second line, but fails on the first line where the "OPtime=n" is not present.

%{DATA:operation}OPtime=%{WORD:optime}%{SPACE}%{GREEDYDATA:operation} END

I've tried:
%{DATA:operation}(OPtime=%{WORD:optime})%{SPACE}%{GREEDYDATA:operation} END
, and others like:
%{DATA:operation}(OPtime=%{WORD:optime})?%{SPACE}%{GREEDYDATA:operation} END
%{DATA:operation}?(OPtime=%{WORD:optime})%{SPACE}%{GREEDYDATA:operation} END

...but get the same results. As I've not been working with logstash/grok very long, and I've long abhorred regular expression stuff, I'm sure there must be a simple solution, but I've not been able to find and implement it.

Thanks for any assistance!

Hi,

I'm trying to find answers on another grok issue and saw this. Try something like

%{DATA:level} : %{DATA:stuff}( OPtime=%{DATA:OPtime})? %{GREEDYDATA:rest} END

I think you have to have unique names for each field. You are using operation twice in all your examples.

Thanks--now to convert to my slightly more complicated dataset!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.