Parsing using grok

elasticforme · January 12, 2021, 10:18pm

i am running jdbc and getting following data. if I run this on SQL> prompt

--backupid "2129214415_30120163393540,2129214415_30120163432904" --spoolpath /system1/1_backup

but on logstash output it becomes

command:  "--backupid \"2129214415_30120163393540,2129214415_30120163432904\" --spoolpath /system1/1_backup"

how do I parse this and get 2129214415_30120163393540

I try this but it does not work

grok {
             tag_on_failure => ["grok_parse_failed"]
             match => {"command" =>  "--backupid \\"%{GREEDYDATA:myid},%{GREEDYDATA:myid2}\\" }
}

I even try with different \ combination to esacpe that backslash and "

it works on grok debugger when I try

this works

This works as well

Badger · January 13, 2021, 12:14am

The actual value of the command field is --backupid "2129214415_30120163393540,2129214415_30120163432904" --spoolpath /system1/1_backup". There are no backslashes in it, those are just being used as escapes for the double quotes inside the string. Try

match => { "command" => '--backupid "%{DATA:myid1},%{DATA:myid2}"' }

elasticforme · January 13, 2021, 3:40pm

Thank you Badger.

that single quote I didn't know I can use it. plus DATA in place of GREEDYDATA

system · February 10, 2021, 3:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.