Using kv and Grok Pattern in Ingest Pipelines

geek876 · February 11, 2021, 10:50am

I am trying to extract a log-pattern

[LEVEL] (COMPONENT) MESSAGE [msgid: MESSAGE ID]

example message:

[INFO   ] (core.workflow) Start scan, workflow_id='lms::workflow::WorkflowExecutor(0x259c99f94b0, name = "WF-127.0.0.1:60708")', dataId='4d66c5069365476a8f36431e6369ab0b', fileName='winlogbeat.yml' [msgid: 3491]

In the pipeline I have two filters:

(1) Grok: That extracts level, component, kvmessage and mid - This works.
(2) kv: I want to now split values like workflow_id, name etc as key value pairs. However, this is not working. Would appreciate some assistance.

    [
      {
        "grok": {
          "field": "message",
          "patterns": [
            "\\[%{WORD:level}\\s*\\]: \\(%{COMPONENT:component}\\) %{MSG:kvmessage}\\[%{GREEDYDATA:mid}\\]"
          ],
          "pattern_definitions": {
            "COMPONENT": "\\w*.\\w*",
            "STATUS": "\\w*\\s\\w*",
            "MSG": "[^\\[]*"
          },
          "ignore_missing": true
        }
      },
      {
        "kv": {
          "field": "kvmessage",
          "field_split": ",",
          "value_split": "="
        }
      }
    ]

system · March 11, 2021, 10:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK pattern for message Elasticsearch	2	307	April 29, 2019
About Ingest Processor patterns Elastic Stack ingest-pipeline	4	293	June 20, 2022
Having problem Parsing Message via ingest pipeline Kibana elastic-stack-alerting	7	881	September 7, 2021
Ingest pipeline KV processor failure Elasticsearch	3	2526	August 29, 2017
Log Pipeline Elastic Observability ingest-pipeline	2	283	November 4, 2022

Using kv and Grok Pattern in Ingest Pipelines

Related topics