Square brackets in ingest node grok pattern

wenyao · December 5, 2016, 4:16am

I am trying to convert my logstash configs into ingest node pipelines.

In my previous logstash config, the grok pattern contains square brackets which looks like this:

\[%{DATA:loglevel}\] %{TIMESTAMP_ISO8601:datetime} \[%{DATA:handler}\] - %{GREEDYDATA:errorMsg}

However, i cant add the blackslash before [ and ] in my .json pipeline definitions and it does not seem to work when i remove the blackslashes or when i add a double backslash in front.

How can i capture the data within square brackets for ingest nodes grok filters?

spinscale · December 5, 2016, 10:06am

Hey,

how about this?

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "describe pipeline",
    "processors": [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "\\[%{DATA:loglevel}\\] %{GREEDYDATA:errorMsg}"
          ]
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "message": "[INFO] what ever else comes here"
      }
    }
  ]
}

--Alex

wenyao · December 5, 2016, 10:16am

It does not work. I did mention in my previous post that i already tried it out with double backslashes

system · January 2, 2017, 10:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.