dina
Reputation: 4289
how to match first regex occurrence using grok filter
my logs are in the following format my.package.name classname: my_message
I would like to cut the class perfix .
for example:
com.example.Handler doPost: request received, jim:jay foo: bar
convert to:
request received, jim:jay foo: bar
I tied this
filter {
grok {
match => {"message" => "^(.*):%{GREEDYDATA:request}"}
}
}
output { stdout { codec => rubydebug }}
but this is what I get:
{
"request" => " bar",
"message" => "com.example.Handler doPost: request received, jim:jay foo: bar"
...
}
seems like grok matches by last regex occurrence.
how can I match by first : occurrence?
Upvotes: 1
Views: 3995
Answers (1)
Will Barnwell
Reputation: 4089
Use a reluctant .* by using .*?. A normal .* will match as much as it can while a reluctant .*? will match as little as it can.
Fun fact: The logstash grok DATA patterns are
DATA .*?
GREEDYDATA .*
So you can define your pattern as
^%{DATA}:%{GREEDYDATA:request}
Upvotes: 3
Related Questions
- GROK Parsing with regex
- Logstash grok pattern to extract a part of String starts with and ends with
- logstash log parsing with regex and grok
- How to get only the first match of a regex Grok filter
- logstash grok - how to do conditional pattern matching?
- Parsing data with grok filter on logstash
- Logstash grok filter regex
- Logstash Grok pattern with multiple matches
- Grok debugging - Match first only regex not working as intended
- Logstash grok pattern to filter custom Log message