Yes, ruby regexp supports positive and negative lookahead and lookbehind assertions, as well as alternation. This allows you to write complex if-elsif-elsif-else tests into your patterns. However, anyone who has to modify such a grok will probably re-write it from scratch.
You can do the test in the filter section using a conditional. For example
if [someField] =~ /^\/test\// {
grok { match => [...]
} else {
grok { match => [...]
}
If you are able to order your patterns such that only one applies then you can have grok try them all by supplying an array of patterns to the match option.
You could start with
grok { match => { "someField" => "^/test/data/(?<user>[^/]+)/%{GREEDYDATA:fileName}" } }
I have a single message which is composed of multiple values joined by pipes. 20190615|4|method|userend|/test/123/1.1|500|2
Now my condition would be "if the 5th value in a message starts with "/test" then use grok filter1 and else use grok filter2
I am trying to get the exact regex for it. Would the below work?
^(.+?)\|(.+?)\|(.+?)\|(.+?)\|\/test\/.+?\|(.+?)\|.+$ . how can i use this in a condition to check if every message has /test as a 5th value ?
Thanks for the info. I apologize if I did not specify my requirement correctly. Just to reiterate
20190615|4|method|userend|/test/123/1.1|500|2 If the 5th value in message starts with "/test", I need to drop it and store "/123/1.1" in a field.
The split filter does help me to split and check whether I have "/test" as the 5th value but how would I drop "/test" and store the rest in a field? I though grok would be the only way to do it.
I am not sure. I do know that specifying the same option to a filter multiple times often works, but sometimes does not. It is very confusing, so I avoid doing it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.