logstash-filter-grok icon indicating copy to clipboard operation
logstash-filter-grok copied to clipboard

Published 20 hours ago verified publisher icon logstash-plugins

grok filter: How to match one pattern multiple times?

Open jordansissel opened this issue 9 years ago • 22 comments

(This issue was originally filed by @stbka at https://github.com/elastic/logstash/issues/2006)

I want to match one pattern multiple times in a logevent. Tried different regex pattern but I don't get it working.

Example-event: This is a statusCode="ERROR_121" text to demonstrate my logevent statusCode="WARNING_2408" structure

What I want to have is a statusCode field with "ERROR_121" as well as "WARNING_2408". Notice that it is possible that the event does not contain any statusCode.

My problem is that grok filter finds either just one entry and breaks or if I combine one pattern with a * it does not find anything.

Example-pattern: STATUSCODE [a-zA-Z0-9_-]+ STATUSCODEENTRY statusCode=.%{STATUSCODE:statusCode}. STATUSCODES (%{STATUSCODEENTRY}.+)*

I hope somebody can help me.

Thanks.

jordansissel avatar May 17 '15 23:05 jordansissel

I have the same question. Why was this closed?

tom-christie avatar May 26 '15 16:05 tom-christie

@tom-christie the issue is not closed, it was moved from the main logstash repository to the plugin specific repository.

ph avatar May 26 '15 17:05 ph

:+1: Have also noticed this. A workaround could be to use the split filter and find some sort of delimiter (in this case statusCode= could maybe be used) and send it through the grok filter as separate events...

DustinChaloupka avatar Jul 23 '15 22:07 DustinChaloupka

Maybe related to #34 or #35.

jordansissel avatar Aug 07 '15 21:08 jordansissel

+1 this is more or less what I was looking for with #50 as well!

naisanza avatar Aug 08 '15 02:08 naisanza

+1

Solisol avatar Oct 10 '16 12:10 Solisol

+1

gilles-m avatar Oct 14 '16 13:10 gilles-m

+1

ghost avatar Oct 29 '16 01:10 ghost

+1

thenom avatar Nov 29 '16 09:11 thenom

+1

maniankara avatar Dec 14 '16 08:12 maniankara

+1

okazymyrov avatar Jun 27 '17 14:06 okazymyrov

+1

Name-less avatar Aug 04 '17 13:08 Name-less

Hi devs, really needs this feature.

sergunSpb avatar Sep 11 '18 08:09 sergunSpb

Hi, I'm also looking for this feature. Did someone find a solution?

thadumi avatar Oct 24 '18 10:10 thadumi

I'm also looking for this feature.

torbajanos avatar Oct 30 '18 19:10 torbajanos

Me too! And thanks for making logstash, it's great!

epacke avatar Feb 03 '19 05:02 epacke

Also came here to say this would be a great feature. Either recursive definitions or ideally something like the regex [aZ]{1,3} which will match anything between 1 and 3 alphabetic characters. If we could do this with grok tags like %{NOTSPACE:variable}{1,3}

thommiller avatar Mar 06 '19 10:03 thommiller

It would definitely be a great feature, asked by many users already.

Erni avatar Mar 22 '19 14:03 Erni

I'm also looking for this feature.

galiacheng avatar Aug 20 '20 06:08 galiacheng

Same. Would also perfectly fit for grokking mod_security logs and their tags.

Littlericket avatar Dec 08 '20 15:12 Littlericket

+1

ifleg avatar Feb 01 '21 23:02 ifleg

For those who are interested, I succeeded using the scan function in ruby ! I can extract the tags from modsecurity alerts using the following filter in logstash :

ruby {
	code => "event.set('modsec.tags', event.get('message').scan(/(?<=\[tag \")[^\]]*(?=\"\])/))"
}

This identify ALL the tags in message and put them in the modsec.tags field.

ifleg avatar Feb 02 '21 13:02 ifleg