Reference to grok patterns that are in another field of event

who · August 1, 2022, 10:46am

There's a regexes array field in the event that contains some regexes:

"regexes" => [
            [0] "regex1",
            [1] "regex2",
            [2] "regex3"
        ]

As this field's content get filled dynamically, I need to use the grok filter plugin the way it uses the regexes inside this field as its patterns. Something like this:

grok {
       match => {
         "message" => "%{[regexes]}"
    }
}

But despite other filter plugins, grok parses %{TEXT} as a pattern, not a field reference format (sprintf format). So it doesn't replace the content of regexes field in "message" => "%{[regexes]}" string and gives the error:

Pipeline error {:pipeline_id=>"main", :exception=>#<Grok::PatternError: pattern %{[regexes]} not defined>

Also, another challenge would be to feed the content of regexes field as an array to the grok plugin, so it evaluates that like this:

 grok {
       match => {
         "message" => [
                       "regex1",
                       "regex2",
                       "regex3"
         ]
    }
}

system · August 29, 2022, 10:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can I use grok to match fields? Logstash	2	805	July 6, 2017
Passing custom regex inside grok filter Logstash	2	1361	February 19, 2021
Grok rewrite field value if matches string Logstash	2	943	December 21, 2016
Parsing a message after the pattern Logstash	4	453	March 30, 2017
Add_field Logstash	5	991	July 6, 2017

Reference to grok patterns that are in another field of event

Related topics