What is the best way to represent a data using grok when an emailid is inside a quoted string?

Elastic Stack Elasticsearch
1

We have got the predefined grok expressions EMAILADDRESS and QUOTEDSTRING available in elasticsearch/kibana

In my log I have the pattern
fromemailid="shi@gmail.com" toemailid="ela@gmail.com"

What is the best way to represent them so that elasitcsearch can give more meaningful information

fromemailid=%{QUOTEDSTRING,frommail} toemailid=%{QUOTEDSTRING,tomail}

or

fromemailid="%{EMAILADDRESS,frommail}" toemailid="%{EMAILADDRESS,tomail}"

or

fromemailid="(?{EMAILADDRESS})" tomailid="(?{EMAILADDRESS})"

.....

or
Are all the above patterns equivalent?
regards
shini

2

They are definitely not the same, see https://github.com/elastic/elasticsearch/blob/7.14/libs/grok/src/main/resources/patterns/grok-patterns#L19 and https://github.com/elastic/elasticsearch/blob/7.14/libs/grok/src/main/resources/patterns/grok-patterns#L4 respectively.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.