Grok parsing multi-value field from csv

I’m trying to parse a log line that contains a comma separated list of values for one key. The maximum count of values is variable there for not know before.

My problem is that I only get the first an last value of that list, regardless of which quantifier I use (*,+,{n,m})

The following is a simplified example for what I’m trying to achieve.

Grok-Pattern “LIST1”:
%{INT:Number}(,%{INT:Number})*

Sample Data:
1,12,123,1234,12345

Test Result:
{
“LIST1”: “1,12,123,1234,12345”,
“Number”: [
“1”,
“12345”
]
}

Expected Result:
{
“LIST1”: “1,12,123,1234,12345”,
“Number”: [
“1”,
“12”,
“123”,
“1234”,
“12345”
]
}

Can someone tell me how I can achieve my expected result in Graylog?
If Grok-Patterns are not the right way to do this, I would also appreciate other solutions.

I’m using Graylog 5.2.5 on Ubuntu with Elasticsearch all in one virtual maschine.

Thanks in advance
Philipp

Personally i would probably use split as it will actually turn it into an array, or there is also a csv function now, but I’m not sure how well thay will work because of the variation in number of results.

By “split” and “csv” you mean pipeline rule functions, correct?
Then I have to create a new rule for splitting.
The rule then has to go into a following stage, not the same stage where I parse the message with the Grok pattern, right?

There is no direct solution using a Grok pattern?
I thought I had a mistake in my Grok syntax.

Ya split will give you output like this

image936×706 45.9 KB

but it doesn’t have to be a separate rule, you can set any values into a variable, and then keep making changes to that variable in the the same rule by running one function after another on it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.