Graylog grok pattern extractor is not grouping data

Graylog Central (peer support)
1

Hi All,

I am trying to apply grok pattern on the message also trying to group similar data to a specific field, here is the message

    [{"path": "/test/oneday/profile/date=20160927", "tag": "oneday_profile", "stats": {"size": "1.02GB"}}, {"path": "/test//subscriberProfile/oneday/feature", "tag": "oneday_feature", "stats": {"size": "1.28TB"}}, {"path": "/test/staticDataJoin/latest", "tag": "static_data_join", "stats": {"size": "6.64GB"}}, {"path": "/test/agg/profileAgg/date=20160926", "tag": "hist_profile", "stats": {"size": "4.09GB"}}]

my extractor

    \{%{QUOTEDSTRING:UNWANTED}: %{QUOTEDSTRING:UNWANTED}, %{QUOTEDSTRING:UNWANTED}: %{QUOTEDSTRING:tag01}, %{QUOTEDSTRING:UNWANTED}: \{%{QUOTEDSTRING:UNWANTED}: %{QUOTEDSTRING:size01}\}\}, \{%{QUOTEDSTRING:UNWANTED}: %{QUOTEDSTRING:UNWANTED}, %{QUOTEDSTRING:UNWANTED}: %{QUOTEDSTRING:tag01}, %{QUOTEDSTRING:UNWANTED}: \{%{QUOTEDSTRING:UNWANTED}: %{QUOTEDSTRING:size01}\}\}

Before using the grok pattern in graylog, i tried from https://grokdebug.herokuapp.com/, here i am getting data in grouped, example

{
  "UNWANTED": [
    [
      ""path"",
      ""/processed/palomar/parse/subscriberProfile/oneday/profile/date=20160927"",
      ""tag"",
      ""stats"",
      ""size"",
      ""path"",
      ""/processed/palomar/parse//subscriberProfile/oneday/feature"",
      ""tag"",
      ""stats"",
      ""size""
    ]
  ],
  "tag01": [
    [
      ""oneday_profile"",
      ""oneday_feature""
    ]
  ],
  "size01": [
    [
      ""1.02GB"",
      ""1.28TB""
    ]
  ]
}

But if i tried to apply same grok pattern in graylog, its overwriting and getting only last information

size01
1.02GB
tag01
oneday_profile
2

The Grok extractor in Graylog doesn’t support returning multiple values per pattern.

Feel free to create a feature request at https://github.com/Graylog2/graylog2-server/issues/

1 Like
3

Thanks issue created https://github.com/Graylog2/graylog2-server/issues/3557