Parsing a varying length line with custom grok filter, only returns the first field

anar · November 26, 2019, 2:33pm

Hello,

I'm trying to set up a custom grok filter for my data input, but when I test it in Kibana's Grok Debugger, I only get the value for the first field (field1). I'm using grok instead of the csv parser because after field7 the last data field is varying length, and it should just be a single entry in Logstash (I will do some post processing on it afterwards).

My data looks like this:

91877900$|$11613428$|$DEVICE$|$CUSTOM-DEVICE1$|$UTC+02:00$|$["13","19","24","53","60","61","65","66","67","8","1"]$|$title=News$|$genre=News Broadcast$|$startTime=1574190000000$|$programId=659107083$|

My grok pattern looks like this:

%{INT:field1}\$|$ %{INT:field2}\$|$ %{WORD:field3}\$|$ %{DATA:field4}\$|$ %{DATA:field5}\$|$ %{TZ:field6}\$|$ %{GREEDYDATA:field7}\$|$ %{GREEDYDATA:theRestOfIt}

Can someone help with this? I'm getting stuck on this part, and I don't understand why my output looks like this:

{
  "field1": "91877900"
}

Badger · November 26, 2019, 2:45pm

You need to escape all of the $ and | with \

| is used for alternation -- foo|bar matches either foo or bar, so your pattern match any one of

%{INT:field1}\$
$ %{INT:field2}\$
$ %{WORD:field3}\$$
etc.

So once if matches the first INT it does not check the rest of the patterns.

anar · November 26, 2019, 2:55pm

Thank you for the quick reply, Badger.

I tried escaping the $ and | with \, but if I run
%{INT:field1}\$ \|\$%{INT:field2}\$
or
%{INT:field1}\$ \$%{INT:field2}\$
on my input, I get a "Provided Grok patterns do not match data in the input" error.

I also get the same error if I try:
%{INT:field1}\$\|\$ %{INT:field2}\$\|\$ %{WORD:field3}\$\|\$ %{DATA:field4}\$\|\$ %{DATA:field5}\$\|\$ %{TZ:field6}\$\|\$ %{GREEDYDATA:field7}\$\|\$ %{GREEDYDATA:theRestOfIt}

Am I missing something?

Badger · November 26, 2019, 4:32pm

Remove all the spaces and replace TZ with DATA.

input { generator { count => 1 lines => [ '91877900$|$11613428$|$DEVICE$|$CUSTOM-DEVICE1$|$UTC+02:00$|$["13","19","24","53","60","61","65","66","67","8","1"]$|$title=News$|$genre=News Broadcast$|$startTime=1574190000000$|$programId=659107083$|' ] } }
filter {
    grok { match => { "message" => "%{INT:field1}\$\|\$%{INT:field2}\$\|\$%{WORD:field3}\$\|\$%{DATA:field4}\$\|\$%{DATA:field5}\$\|\$%{DATA:field6}\$\|\$%{GREEDYDATA:field7}\$\|\$%{GREEDYDATA:theRestOfIt}" } }
}
output { stdout { codec => rubydebug { metadata => false } } }

produces

     "field6" => "[\"13\",\"19\",\"24\",\"53\",\"60\",\"61\",\"65\",\"66\",\"67\",\"8\",\"1\"]",
     "field1" => "91877900",
"theRestOfIt" => "programId=659107083$|",
     "field7" => "title=News$|$genre=News Broadcast$|$startTime=1574190000000",

etc.

anar · November 27, 2019, 11:52am

Thanks a lot for the help, that solved it!

system · December 25, 2019, 11:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with custom parsing in grok filter Logstash	3	320	May 8, 2019
Help needed in grok Logstash	5	2646	February 6, 2020
Grok Custom pattern file Logstash	7	18349	March 5, 2018
Grok filter is not working (custom pattern) Logstash	6	1667	May 10, 2017
Can't Get Custom Grok Filter To Work Logstash	2	326	August 1, 2018

Parsing a varying length line with custom grok filter, only returns the first field

Related topics