Reputation: 13453
How to grok a pipe-delimited string in a log line
I need to grok a pipe-delimited string of values in a grok line; for example:
|NAME=keith|DAY=wednesday|TIME=09:27:423227|DATE=08/06/2019|amount=68.23|currency=USD|etc...
What is the easiest way to do this?
Is there any form of a grok split?
Thanks, Keith
Upvotes: 0
Views: 847
Answers (1)
Reputation: 2908
Your scenario is the perfect use case of logstashs kv (key-value) filter!
The basic idea behind this filter plugin is to extract key-value pairs in a repetitive pattern like yours.
In this case the field_split character would be the pipe ( | ).
To distinguish keys from values you would set the value_split character to the equal sign ( = ).
Here's a sample but untested filter configuration:
filter{
kv{
source => "your_field_name"
target => "kv"
field_split => "\|"
value_split => "="
}
}
Notice how the pipe character in the field_split setting is escaped. Since the pipe is a regex-recognized character, you have to escape it!
This filter will extract all found key-value pairs from your source field and set it into the target named "kv" (the name is arbitrary) from that you can access the fields.
You might want to take a look at the other possible settings of the kv filter to satisfy your needs.
I hope I could help you! :-)
Upvotes: 4
Related Questions
- multiline grok pattern matched to multiple single lines inside kibana
- grok pattern to parse the logs in logstash
- What should be the grok pattern for thoses logs ? (ingest pipeline for filebeat)
- Create custom grok pattern to message filed in elasticsearch
- Issue with the logstash config while parsing multiline log
- Logstash matches multiple value
- Grok Pattern - for comma delimited data
- Filebeat/Logstash Multiline Syslog Parsing
- Grok doesn't match multiline log entries properly?
- How do I use FileBeat to send log data in pipe separated format to Elasticsearch in JSON format?