Parse dynamic field names

Soren_vdc · June 7, 2022, 11:30am

Hi,

I want to parse some code in message field where the field names contains a number. Example:
responseGENERATED_100=76 SENT_100=76
responseGENERATED_180=221 SENT_180=221
responseGENERATED_190=0 SENT_183=0

The filename is different for other values (100,180,190,...)
With grok match, I can't add matching in the fieldname. For example:
grok { match => [ "responsegenerated_%{NUMBER:number}", "%{NUMBER:responsegenerated_%{NUMBER:number} SENT_100=%{NUMBER:responsegenerated_%{NUMBER:number}_send}

Is there another possible solution to avoid grok match for all possible numbers.
br
Sören

Badger · June 7, 2022, 4:43pm

If you want to extract the numbers then use

responseGENERATED_%{NUMBER:a}=%{NUMBER:b} SENT_%{NUMBER:c}=%{NUMBER:d}

If you want the field name to be responseGENERATED_180 then use a kv filter, not grok.

system · July 5, 2022, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.