Parse dynamic field names

Soren_vdc · June 7, 2022, 11:30am

Hi,

I want to parse some code in message field where the field names contains a number. Example:
responseGENERATED_100=76 SENT_100=76
responseGENERATED_180=221 SENT_180=221
responseGENERATED_190=0 SENT_183=0

The filename is different for other values (100,180,190,...)
With grok match, I can't add matching in the fieldname. For example:
grok { match => [ "responsegenerated_%{NUMBER:number}", "%{NUMBER:responsegenerated_%{NUMBER:number} SENT_100=%{NUMBER:responsegenerated_%{NUMBER:number}_send}

Is there another possible solution to avoid grok match for all possible numbers.
br
Sören

Badger · June 7, 2022, 4:43pm

If you want to extract the numbers then use

responseGENERATED_%{NUMBER:a}=%{NUMBER:b} SENT_%{NUMBER:c}=%{NUMBER:d}

If you want the field name to be responseGENERATED_180 then use a kv filter, not grok.

system · July 5, 2022, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dynamic fields name within grok match Logstash	3	1019	November 18, 2021
Grok filter on dynamic source field name Logstash	1	389	November 20, 2018
Need to parse field name via logstash Logstash	5	471	January 16, 2020
Logstash parsing for dynamic fieldname Logstash	2	127	February 14, 2024
SOLVED: Grok + Dynamic field name Logstash	3	3151	July 6, 2017

Parse dynamic field names

Related topics