Problem with Grok of message

robymemo · June 25, 2019, 5:05pm

Hi,
i'm trying to grok a message (*) where each field is separated by "|" .
I used this sintax
%{WORD:project_name}\|(?<procedura>[^\|]*)\|(?<log_procedura>[^\|]*)\|(?<esito>[^\|]*)\|(?<row_number>[^\|]*)\|(?<data_caricamento>[^\|]*) but if I try to add %{DATESTAMP} instead of the last field, but the grok debugger give me compilation error ...
How I can add it ? And if I have to substitute the second field with %{WORD:procedura}, how I can do it ? Every time I try to validate the grok debugger give me error.

Thanks a lot

(*)
SAVA|Bonifiche SAVA|[START] Aggiornamento COD_DEALER_REASON|OK|3022|22/03/2012 13:41:52

Badger · June 25, 2019, 5:25pm

DATESTAMP works for me

grok { match => { "message" => "%{WORD:project_name}\|(?<procedura>[^\|]*)\|(?<log_procedura>[^\|]*)\|(?<esito>[^\|]*)\|(?<row_number>[^\|]*)\|%{DATESTAMP:data_caricamento}" } }

results in

      "row_number" => "3022",
       "procedura" => "Bonifiche SAVA",
   "log_procedura" => "[START] Aggiornamento COD_DEALER_REASON",
    "project_name" => "SAVA",
"data_caricamento" => "22/03/2012 13:41:52",

robymemo · June 25, 2019, 6:05pm

I don't know why before the debugger site give me error ... anyway thanks

I have another request, if I would to change the value of a fields I have to use the mutate right ?
For example if i would to change the value of 'procedura' making it 'SAVA' if the text is 'Bonifiche SAVA' else 'ROAR' , can you write me how do it ?

Thanks,

Badger · June 25, 2019, 6:34pm

I would use mutate to do that, yes.

    if [procedura] == "Bonifiche SAVA " {
        mutate { replace => { "procedura" => "SAVA" } }
    } else {
        mutate { replace => { "procedura" => "ROAR" } }
    }

robymemo · June 26, 2019, 12:28pm

something was not working fine ... Some fields configured in the grok are not present in the final json ... how is possible ?

Thanks for the support

This is my sample message :
SAVA|Bonifiche SAVA|[FINE] Aggiornamento COD_DEALER_REASON|OK|3022|22/03/2012 01:41:52

this is my configuration on logstash :
filter {
grok {
match => { "message" => "%{WORD:project_name}|(?[^|])|(?<log_procedura>[^|])|(?[^|])|(?<row_number>[^|])|%{DATESTAMP:data_caricamento}"}
}
if "Bonifiche SAVA" in [procedura] {
mutate { replace => { "procedura" => "SAVA" } }
} else {
mutate { replace => { "procedura" => "ROAR" } }
}
}

this is the json result :
{"_id":"Wm20k2sB8l6U-WbzLmcv","_type":"doc","_index":"log_test-n-2019.06.26","@timestamp":["2019-06-26T12:13:02.571Z"],"row_number":"3022","data_caricamento":"22/03/2012 01:41:52","message":"SAVA|Bonifiche SAVA|[FINE] Aggiornamento COD_DEALER_REASON|OK|3022|22/03/2012 01:41:52","input":{"type":"log"},"project_name":"SAVA","agent":{"version":"7.1.1","ephemeral_id":"3a3c334b-6ec5-4c3d-971c-ea0cc35cb13a","id":"9546f89a-5dde-49c2-bedf-3858a825a907","type":"filebeat","hostname":"localhost.localdomain"},"procedura":"SAVA","log_procedura":"[FINE] Aggiornamento COD_DEALER_REASON","fields":{"log_type":"access"},"tags":["logn","beats_input_codec_plain_applied"],"ecs":{"version":"1.0.0"},"@version":"1","log":{"file":{"path":"/var/log/new_log_path/input_1/tl_1.log"},"offset":89},"host":{"name":"localhost.localdomain"},"esito":"OK"}

robymemo · June 26, 2019, 12:41pm

Sorry .... the result is correct ...

system · July 24, 2019, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.