Passing custom regex inside grok filter

Flavio1 · January 22, 2021, 11:15am

Hi everybody,
During these days i'm trying to implement a custom regex system configuration in order to have a single point, outside pipelines, in which i can make crud operations on regexes. I tried this solution:

mutate {
            add_field => {
                          "regex_status" => "specific_status"                        
                          "default_status" => "default_status"
            }
        }       
        translate {
            field => "regex_status"
            destination => "[regex_data]"
            dictionary_path => "C:/lookup-regex.json"
            add_field => { "status_exists" => "true" }
        }
        if ([status_exists] == "true") {
          grok {
             match => [ "message", "%{[regex_data][status]}" ]
          }
        }
        else{
          translate {
                field => "default_timestamp"
                destination => "[regex_data]"
                dictionary_path => "c:/lookup-regex.json"   
          }

and this is the lookup-regex.json:

{
    "default_status":".*HTTPv2.0\\/\\d\\.\\d\\\"\\s(?<status>\\d{3})\\s",
    "specific_status": {
        "status":".*HTTP\\/\\d\\.\\d\\\"\\s(?<status>\\d{3})\\s"
    }
}

It seems that during the parsing of the pipeline the logstash debugger gives me that pipeline stop worked because %{[regex_data][status]} it's not a regex. Is this any way to accomplish this behaviour? Essentialy, i would like to know if i can pass string of regex like variable in grok filters. Thx in advance.

leandrojmp · January 22, 2021, 11:49am

I'm not sure if this approach would work and it seems overcomplicated when you compare with the approach in the documentation to use custom patterns.

You could try putting your custom regex expressions in a file and use the patterns_dir option in your grok filter.

For example, you could create a file named CUSTOM-REGEX with the following content.

DEFAULTSTATUS .*HTTPv2.0\\/\\d\\.\\d\\\"\\s(?<status>\\d{3})\\s
SPECIFICSTATUS .*HTTP\\/\\d\\.\\d\\\"\\s(?<status>\\d{3})\\s

Then you would use this file in your grok config.

grok {
    patterns_dir => ["/path/to/your/custom/regex/file"]
    match => { "message", "%{DEFAULTSTATUS:field_name}" }
}

system · February 19, 2021, 11:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reference to grok patterns that are in another field of event Logstash	1	223	August 29, 2022
Regex performance with logstash using more general match Logstash	10	1212	December 1, 2020
Nested field in a grok filter Logstash	10	2470	August 15, 2019
How to handle grok optional pattern (?:) Logstash	7	1120	June 1, 2022
Logstash Custom Patterns is not not working Logstash	1	302	January 15, 2019

Passing custom regex inside grok filter

Related Topics