Skip first two grok pattern matches

Jim_Thunder · August 9, 2019, 6:34pm

I am trying to parse out the last number of a field (that is a string). My grok pattern, currently, pulls the first number and puts it in the new field. How can make that grok pattern skip the first 2 numbers it comes across and instead grab the third?

Sample [TEXT] field value:

" IAT1613 JOB SERZMFP (JOB04933) SYSTEM MESSAGE COUNT IS 290,000"

Here's my code:
</>
if "IAT1613" in [TEXT] {
grok { match => ["TEXT","%{NUMBER:MSG_COUNT}"] }
}
</>

The grok pattern grabs the "1613" but I need it to grab the number 290,000 instead.

Badger · August 9, 2019, 7:58pm

Anchor the pattern to end of line. Also, NUMBER cannot contain commas, so use a custom pattern.

"(?<MSG_COUNT>[0-9,]+)$"

system · September 6, 2019, 7:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Filter to parse a string Logstash	5	904	August 27, 2019
How to get first match regex grok Logstash	1	268	April 2, 2020
Grok Filter Pattern with Comma Logstash	8	14310	July 6, 2017
Parsing a varying length line with custom grok filter, only returns the first field Logstash	5	751	December 25, 2019
Pattern to extract specific integer and string Logstash	7	474	September 1, 2022

Skip first two grok pattern matches

Related topics