Grok Pattern Question

dtuecks · September 19, 2021, 9:48am

I have the follwing GROK parser in my pipeline to match the line “123 some info text”:

let parsed_data = grok(pattern: “^(?<seq_num>\d{3})\s+(?%{DATA})$”, value: to_string(parsed_fields.in_data), only_named_captures: true);

I’d like to save seq_num (which needs to be exactly 3 digits long) as an integer field, but I don’t know how to do this. I know that I cant do something like ^%{NUMBER:seq_num;int}%{SPACE}%{DATA:info}$, but I’m not sure how I can apply this to my line because this would also (incorrectly) match “22 some info text”.

shoothub · September 20, 2021, 7:55am

Maybe create grok pattern like SEQNUM \d{3} in graylog System - Grok patterns and use it in grok function like %{SEQNUM:int} instead if your regex pattern <seq_num>\d{3}

dtuecks · September 23, 2021, 7:20am

Hi shoothub,

thanks for to suggestion. I thought about that, but what I finally did was to convert the field afterwards and before putting it to the stream:

let parsed_data = grok(pattern: “^(?<seq_num>\d{3})\s+(?%{DATA})$”, value: to_string(parsed_fields.in_data), only_named_captures: true);
set_field(“sequence_number”, to_long(parsed_data.seq_num));

But I’m considering your solution as it is more flexible when converting the whole map to fields (set_fields()).

Thank you!

system · October 7, 2021, 7:21am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Convert fields created by grok pattern as integer Graylog Central (peer support) sidecar , nxlog , nodatanx	3	2926	March 4, 2020
Struggling with parsing number field Graylog Central (peer support)	7	1373	July 31, 2020
Df -h and regex Graylog Central (peer support)	5	656	September 7, 2017
Convert Text to Numeric Field Graylog Central (peer support)	3	2840	November 7, 2018
Problems with Grok Extractor int data type Graylog Central (peer support)	4	745	October 19, 2020

Grok Pattern Question

Related Topics