Pipelines - Losing values with Foreach and Grok

Josiah_Raiche · November 2, 2018, 7:55pm

Similar to this unanswered question: Ingest: foreach + grok processor - how to write result into an array?

I'm trying to parse a multiline document. Each line is a step in trace route and I'd like to process each line into an array.

Here's the relevant field, execbeat's exec.stdout for a windows tracert command:

Tracing route to example.com [123.456.789.10]
over a maximum of 30 hops:

  1    24 ms     1 ms     1 ms  123.456.789.14
  2     2 ms     1 ms     2 ms  example.com [123.456.789.12]
  3     5 ms     1 ms     1 ms  example.com [123.456.789.10]

Trace complete.

Desired output, though I'd also be happy with separate top level arrays for each key, or even joined strings.

{
...
"hops": [
    {"hop_step": 1, "hop_ip": "123.456.789.14", "rtt_1": 24, "rtt_2": 1},
    {"hop_step": 2, "hop_ip": "123.456.789.12", "rtt_1": 2, "rtt_2": 1}
[... up to 30] 
]
}

Here's my pipeline:

PUT _ingest/pipeline/tracert
{
  "description": "A pipeline for parsing tracert results",
  "processors": [
	{
		"set": {
			"field": "hops",
			"value": ""
		}
	},
	{
		"split": {
			"field": "exec.stdout",
			"separator": "[\r\n]+"
		}
	},
	{
		"foreach": {
			"field": "exec.stdout",
			"processor": {
				"grok": {
					"field": "_ingest._value",
					"patterns": ["%{POSINT:hop_step}\\s+%{POSINT:rtt_1} ms\\s+ %{POSINT:rtt_2} ms\\s+ %{POSINT:rtt_3} ms\\s+%{USERNAME:hop_server_name}? \\[?%{IP:hop_ip}"],
					"ignore_failure" : true
				}
			}
		}
	}
  ]
}

Grok works great and discards the non-matching lines, retaining the ones I like. But since foreach can only accept 1 processor, there's no way to capture those values, and they are overwritten by subsequent lines.

This seems like a common case; how can I do this?

jakelandis · November 5, 2018, 5:36pm

Unfortunately it is not possible with using just Foreach and Grok for the reasons you mention.

However, It is possible to do this is in Painless with the script processor.

You will have to enable regular expressions in you elasticsearch config : script.painless.regex.enabled: true and manually map between Grok and the underlying regex as defined here.

I took a quick swing, and hopefully this is a starting point to implement something like this (the example as-is is fragile and meant only as getting started example)

POST _ingest/pipeline/_simulate?verbose
{
  "pipeline": {
    "description": "test",
    "processors": [
      {
        "script": {
          "lang": "painless",
          "source": """
            String[] lines =  /[\r\n]+/.split(ctx.exec?.stdout);
            List hops = new ArrayList();
            for( String line : lines){
              Map hop = new HashMap();
              Matcher matcher = /^(\b(?:[1-9][0-9]*)\b)\s+(\b(?:[1-9][0-9]*)\b) ms\s+ (\b(?:[1-9][0-9]*)\b) ms\s+ (\b(?:[1-9][0-9]*)\b) ms\s+([a-zA-Z0-9._-]+)\s+\[(.*)\].*$/.matcher(line);
              if(matcher.matches()){
                if(matcher.groupCount() >= 1){
                  hop.put("hop", matcher.group(1));
                 }
                 if(matcher.groupCount() >= 2){
                  hop.put("rtt_1", matcher.group(2));
                 }
                  if(matcher.groupCount() >= 3){
                  hop.put("rtt_2", matcher.group(3));
                 }
                  if(matcher.groupCount() >= 4){
                  hop.put("rtt_3", matcher.group(4));
                 }
                 if(matcher.groupCount() >= 5){
                  hop.put("user_name", matcher.group(5));
                 }
                 if(matcher.groupCount() >= 6){
                  hop.put("ip", matcher.group(6));
                 }
                hops.add(hop);
               }
             }
            ctx.hops = hops;
          """
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "test",
      "_type": "_doc",
      "_id": "99",
      "_source": {
        "exec": {
          "stdout": "Tracing route to example.com [123.456.789.10]\nover a maximum of 30 hops:\n1    24 ms     1 ms     1 ms  123.456.789.14\n2     2 ms     1 ms     2 ms  example.com [123.456.789.12]\n3     5 ms     1 ms     1 ms  example.com [123.456.789.10]"
        }
      }
    }
  ]
}

system · December 3, 2018, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ingest: foreach + grok processor - how to write result into an array? Elasticsearch	1	1019	July 19, 2017
(Ingest Pipeline) Grok on an Array using Foreach -> Pipeline processors Elasticsearch	2	1547	September 16, 2020
Ingest: foreachとgrokを組み合わせた場合の処理について日本語による質問・議論はこちら	3	2153	October 31, 2017
Inges pipeline - KV processor not working with foreach Elasticsearch	1	342	February 10, 2021
Ingest pipeline Elasticsearch ingest-pipeline	3	289	December 26, 2022

Pipelines - Losing values with Foreach and Grok

Related topics