Custom grok patterns - matching multiple patterns
Question
I've asked a similar question before but not had any responses so figured it was time to reword it in the hope of receiving some much needed help.
Ultimately I want to create an ingest pipeline but I'm failing at the first hurdle when trying to create a custom grok pattern, using the Grok debugger in Kibana, to extract two fields from the message. With the below message:
This is a document with a lengthy text it contains a number of paragraphs and at the end I'll add some markers that indicate additional information I'd like to pull out and add as additional fields. This is the end of the actual document with additional information being added prior to the closing bracket of the RTF.
additionalfield1: this is information associated with additionalfield1
additionalfield2: information associated with additionalfield2
I'm trying to create the below fields but I can't seem to get both of the patterns to match, only one or the other.
{
"additionalfield1": ": this is information associated with additionalfield1",
"additionalfield2": ": this is information associated with additionalfield2"
}
The image below shows what I'm doing when matching a single pattern and I'm hoping to learn how I can match and extract both of the above. As you can see from the screenshot, matching one of them, in this case "additionalfield1" works well and the same goes for if I change the pattern but if I try to look for both I get nothing that returns.
The below screenshot shows a failed attempt at extracting both additionalfield1 and additionalfield2 if those are present and in this case it only extracts additionalfield2.
Any help would be much appreciated.
Update:
I really don't understand this at all, obviously. The text obviously contains a number of newline characters but if I use a pattern of
(?m)%{FINCLASS:finclass}
I'm extracting the additionalfield1
if I then were to add
(?m)%{FINCLASS:finclass}(?m)%{MYCLASS:myclass}
and under custom patterns put this:
FINCLASS : (?<=additionalfield1:\s)[^,\n]*
MYCLASS : (?<=additionalfield2:\s)[^,\n]*
I get a message that the pattern doesn't match but following additionalfield1 and the rest of that line is a newline and so additionalfield2 always follow that \\n
This is sending me bonkers so if you care to enlighten a noob, please save me from tearing my hair out.
1 answers
solution1
0 2019-11-28 05:03:17
Try this:
INPUT:
This is a document with a lengthy text it contains a number of paragraphs and at the end I'll add some markers that indicate additional information I'd like to pull out and add as additional fields. This is the end of the actual document with additional information being added prior to the closing bracket of the RTF.
additionalfield1: this is information associated with additionalfield1
additionalfield2: information associated with additionalfield2
GROK pattern:
additionalfield1: (?<additionalfield1>([^,]*))additionalfield2: (?<additionalfield2>([^,]*))
OUTPUT:
{
"additionalfield1": [
[
"this is information associated with additionalfield1\n\n"
]
],
"additionalfield2": [
[
"information associated with additionalfield2"
]
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.