AbtPst
Reputation: 8008
Logstash : Optional match not working as expected
lets say i have two kinds of messages coming in
1/1/12 dasdahdgh
1/1/12 asd.ert.Tghagsdh
now i want something like this
%{DATE_US:time}%{SPACE}(%{WORD:stat}|(?<java_method>[a-zA-Z\.]+))
if i see a single word after the date, i want to call it stat. If i see the name of a java method, then i want to call it java_method
However, the result i get is
{"time":1/1/12, "stat":"dasdahdgh", "java_method":""}
{"time":1/1/12, "stat":"asd", "java_method":".ert.Tghagsdh"}
how can i configure my grok so that only one of either stat or java_method is created?
Upvotes: 0
Views: 166
Answers (1)
baudsp
Reputation: 4100
I've made a regex which has to have a dot in it, so it will capture asd.ert.Tghagsdh but not dasdahdgh. By placing it before %{WORD}, it will capture the java "method" (it look more like a class), but not the stat:
%{DATE_US:time}%{SPACE}((?<java_method>(?:[a-zA-Z]+\.)+[a-zA-Z]+)|%{WORD:stat})
So you'll have the right values in your fields.
Upvotes: 2
Related Questions
- Logstash grok multiple match
- grok parse optional field pattern doesn't work
- conditional matching with grok for logstash
- Logstash Optional Fields
- GROK pattern for optional field
- Grok Pattern not working in Logstash
- Logstash pattern dealing with multiple matches
- Logstash pattern matching more than it should
- Logstash grok multiple matches failure
- logstash fails to match a grok filter