Hello, I've a sample line 'stock_status': 'IN_STOCK', 'title_ar': u"World's Greatest Mum Card"
I want to parse the stock_status value, so I created this grok filter
grok{
match => [ "message", "'stock_status': '%{GREEDYDATA:stock_value}'" ]
}
but the output is:
"stock_value": [
[
"IN_STOCK', 'title_ar': u"World"
]
]
I want it to be:
"stock_value": [
[
"IN_STOCK"
]
]
Can you help?
Are those the complete samples of logs and grok pattern? If not, it would help pasting those instead.
Anyhow, you can try this (based on the above info)
grok{
match => [ "message", "'stock_status': '%{NOTSPACE:stock_value}'," ]
}This comma at the end solved the problem, thanks @paz
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.