Extractors - Grok with Regex get first matching string

rake · August 14, 2017, 2:23pm

I’m using a custom Grok rule to extract a value from the log message using regex (Graylog version 2.2.3). When there is more than one match, the extractor is always gives the last matched string as result output. Is there any way I can get the first matched string as output?

For example:
[8/1/17 14:53:23:457 GMT] 00000192 TestServer A Some message contain 1 as integer.

I want to extract the A, so I’m using the following regex in the extractor logic: (\s{1,2}[EWA123]{1}\s) unfortunately this regex also matches 1. I’m looking for a way to get the first matching result not the last matching result.

jtkarvo · August 14, 2017, 4:56pm

if the message after the wanted match always starts with “Some”, you can use that in your regex. If everythin else fails, you can use something like

(\s{1,2}[EWA123]{1}\s).*\s{1,2}[EWA123]{1}\s

but it might be slow.

rake · August 14, 2017, 11:15pm

That “Some” was an example. There is no constant word after A.

system · August 28, 2017, 11:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Difficulties to apply extractors using regex Graylog Central (peer support) key_value	47	2525	April 22, 2022
How to get only certain data from grok/regex? Graylog Central (peer support) pipeline-rules , grok-patternspl	6	1907	August 26, 2022
Regular Expression or Grok to extract value Graylog Central (peer support)	3	840	July 29, 2019
Extractor help needed Graylog Central (peer support)	2	818	March 15, 2021
Need help with extractor Graylog Central (peer support)	4	843	March 30, 2021

Extractors - Grok with Regex get first matching string

Related topics