grok icon indicating copy to clipboard operation
grok copied to clipboard

Published 20 hours ago verified publisher icon jordansissel

[Question] How to get all the fields' value

Open thangld322 opened this issue 5 years ago • 0 comments

Let's say that I have this pattern: "<%{NUMBER}>%{SYSLOGTIMESTAMP:timestamp} %{DATA}: \\|%{NUMBER}\\|%{DATA:qtype}\\|

And when I grok this text "<116>Dec 11 15:29:51 SyslogAlertForwarder: |6583514977575335971|Signature"

How can I get all the fields by subname like timestamp=Dec 11 15:29:51, qtype=Signature the fastest way in code? (Best performance)

I call grok_exec to check whether the text match the pattern. But I don't know how to get the fields' value in the pattern.

    len = grok_exec(&grok, text, &output);
        if (len == 0) {
          match = true;
        }

Thanks!

thangld322 avatar Feb 14 '20 03:02 thangld322