Kizer
Reputation: 135
Match string with prefix and suffix use Logstash grok pattern
I have a ELK cluster to keep my logs below, and i want to extract some fields in the log use logstash grok.
[info ][170703 10:34:38.998686/832]acct ok,deal_time=122ms;ACCESS_PORT=216179383538692472&ACCESS_TYPE=2&ACCOUNT=07592111916&Acct-Status-Type=3;
here is my grok pattern.
%{SYSLOG5424SD}\[%{DATA:[@metadata][timestamp]}\/%{NUMBER}\]%{WORD:type}\ %{WORD:status}\,%{GREEDYDATA}%{NUMBER:dealtime}ms\;%{GREEDYDATA}(?<acct>(?<=ACCOUNT=).*)
i want to extract some field's value and give it to the event variable. eg. acct = 07592111916
i use (?(?<=ACCOUNT=).*&$) to extract the value, but not works, where is my problem?
i debug the code in this site. http://grokdebug.herokuapp.com
Upvotes: 0
Views: 2083
Answers (1)
Кирилл Полищук
Reputation: 845
I think you need to extract this way:
(?<acct>(?<=ACCOUNT=)[^&]+)
Upvotes: 1
Related Questions
- Logstash grok pattern to extract a part of String starts with and ends with
- logstash log parsing with regex and grok
- Logstash grok multiple match
- Logstash/Grok: Read substring from field using regex
- logstash grok - how to do conditional pattern matching?
- Regular expressions for grok pattern
- Custom Grok regular expression matcher
- how to match first regex occurrence using grok filter
- Logstash grok filter regex
- Logstash Grok pattern with multiple matches