GROK pattern name and {} on the new created field

Hello everyone,

when i use GROK pattern on pipelines, i have the name of the pattern and the"{}".

My rules:

rule “grok quote extractor for message”
when
contains(to_string($message.message),“mp4split.fmp4”)
then
let result = grok(“%{QUOTEDSTRING:file}”,to_string($message.message));
set_field(“file”,result);
end

On my processed log :

Someone now how to remove it, to only keep the matched value of the GROK pattern ?

Regards

Try set_field("file", result.file) - the return value from grok function is always a map.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.