Parse contents of a specific field and store in new fields

rickyhicky · September 29, 2021, 10:41pm

Hello all,

I have few log entries like below, which I am parsing using grok/regex. How can I again parse contents of a field and store it to new fields within the same index?

Log example:

`2021-09-24T17:05:52,777 INFO  c.c.d.s.CpMatchApiServiceImpl:match:338 [615:Default Executor-thread-379:5] - CPMatch:-Match: P019 Profile summary: Stations Not Matched : 5 / 8 -11-QL 136-BY-ARR null, 11-QL 136-BY-DEP null, 21-CFP112-BY-ARR null, 21-CFP112-BY-DEP null, 31-CFP100-BY-ARR null, 31-CFP100-BY-DEP null, 51-SOU295-IN-ARR null, 51-SOU295-IN-DEP null, 71-000401-TD-ARR null,  Profile contains: 2 DomStations.
2021-09-24T17:06:00,269 INFO  c.c.d.s.CpMatchApiServiceImpl:match:338 [621:Default Executor-thread-380:5] - CPMatch:-Match: P050 Profile summary: Stations Not Matched : 3 / 30 -1-000ZA0-OR-DEP null, 261-CA 314-BY-ARR null, 261-CA 314-BY-DEP null, 291-QL 136-DS-ARR null,  Profile contains: 2 DomStations.`

I have written a grok/regex pattern to parse the above log.

if ([message] =~ "CPMatch" and [message] =~ "Stations Not Matched" and [message] =~ "Foreign Stations" )
{
	grok {
		match => {
			"message" => "%{TIMESTAMP_ISO8601:MsgTime}\s*(?<LogLevel>([A-Z]{4,9}))\s*(?<Thread_Details>(.*?))]\s+-\s+(?<AppValue>(.*?)):\s*-(?<JavaMethod>(.*?)):\s*(?<Profile_ID>(.*?))\s+Profile summary:\s+(?<Profile_Summary>(.*?))\:\s+(?<noMatch_Stations>(.*?))\s+\/\s+(?<Total_Stations>(.*?))\s+\-(?<noMatch_details>(.*?))\s+Profile\s+contains\:\s+(?<DomStations>(.*?))\s+DomStations\."
		}
	}
}

Now I am trying to parse the contents of "noMatch_Stations" which is a field in the above grok pattern. How can I parse the contents of the field? I tried adding a second grok pattern with in the if { } like below, but it did not work.

if ([message] =~ "Stations Not Matched" and [message] =~ "DomStations" )
{
	grok { 	match => { "message" => "%{TIMESTAMP_ISO8601:MsgTime}\s*(?<LogLevel>([A-Z]{4,9}))\s*(?<Thread_Details>(.*?))]\s+-\s+(?<AppValue>(.*?)):\s*-(?<JavaMethod>(.*?)):\s*(?<Profile_ID>(.*?))\s+Profile summary:\s+(?<Profile_Summary>(.*?))\:\s+(?<noMatch_Stations>(.*?))\s+\/\s+(?<Total_Stations>(.*?))\s+\-(?<noMatch_details>(.*?))\s+Profile\s+contains\:\s+(?<DomStations>(.*?))\s+DomStations\."
		}
	}
 grok {
		match => {
			"noMatch_Stations" => "(?<Profile_Seq>(.*?))-(?<Station_Code>(.*?))-(?<(Station_Type)>(.*?))-(?<Station_Point>(.*?))\s+(?<Station_Descrip>(.*?))\,"
		}
	}
}

Any kind of help is much appreciated. Thank you

system · October 27, 2021, 10:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.