Pattern to extract specific integer and string

Input:

CEES:1.0|NGINX|NGINX|1.17.6|400|devTime=03/Aug

Output

response_code: 400
message: devTime=03/Aug

Pattern i have applied

^LEEF.*\|%{INT:response_code}%{GREEDYDATA:log_message

Output i got

response_code: 400
message: |devTime=03/Aug

Unable to solve this anyone please help me

Which are the fields you want to save?

Actually the Input you put there does not match the pattern.

Try something like this:

%{WORD:word1}:%{NUMBER:n1}\|%{WORD:word2}\|%{WORD:word3}\|%{GREEDYDATA:n2}\|%{NUMBER:response_code}\|%{GREEDYDATA:string}

Hope it helps :slight_smile:

Hi @79g unfortunately i have not used kibana dev tool i test this on online grok parsing tool. I want only expected output just want 2 field response_code and message field after 400 value but i am getting | in front of the message field value

Have you tried to escape the | char?

Try the pattern of my previous publication:

%{WORD:word1}:%{NUMBER:n1}\|%{WORD:word2}\|%{WORD:word3}\|%{GREEDYDATA:n2}\|%{NUMBER:response_code}\|%{GREEDYDATA:string}

If you only need two fields, just discard the rest of them

Thank you @79g i followed your code and learn it
My new grok pattern is

^CEES.*\|%{INT:response_code}\|%{GREEDYDATA:log_message

I got my desired outpur using this , but out of curiosity what does \| signify ? I mean i got my output just hit and trial

Happy to help :slight_smile: Just mark my reply as solution for making easier for others to find.

You can not put the character | inside JSON without escaping. Some special characters could be interpreted and cause failures. To avoid this is necessary to add a \ before. You can search about json escaping

By default, | is used for alternation, so that you might match either AM or PM in a timestamp using (AM|PM). If you have a literal | in the message then you need to escape it with a backslash for the regexp to match it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.