Grok Pipeline only_named_captures

GTownson · March 13, 2018, 4:51pm

I have no idea how to only capture named grok patterns.

Here is my pipeline config:

rule “HourExtractor”
when
has_field(“TimeStamp”)
then
let Time = to_string($message.TimeStamp);
let Hour = grok(“%{DATA:UNWANTED}T%{NUMBER:Hour}%{DATA:UNWANTED}”, Time);
set_fields(Hour);
end

I have tried adding things such as: “, True” after “Time” and it won’t work at all, I’m sure it’s extremely simple, but I just can’t work it out and there aren’t many examples online.

Cheers,

G

GTownson · March 13, 2018, 5:07pm

Okay so it was just:

let Hour = grok("%{DATA:UNWANTED}T%{NUMBER:Hour}%{DATA:UNWANTED}", Time, true);

I must have tried about every other similar combination apart from just true.

jan · March 14, 2018, 7:24am

you could have also used:

let nexus = grok(pattern: "%{GROKPATTERNS}", value: message_field, only_named_captures: true);

To be more human readable.

system · March 28, 2018, 7:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK Extractor Timestamp Question Graylog Central (peer support)	16	2094	August 13, 2020
Grok Pipeline Output Graylog Central (peer support)	5	1411	March 30, 2018
Unwanted Grok Fields Graylog Central (peer support) grok-patternspl	6	590	November 14, 2023
Using Extractors with grok Pattern Graylog Central (peer support) pipeline-rules	3	5510	July 15, 2020
Problems parsing pipe delimited log file with pipeline rules Graylog Central (peer support) pipeline-rules , grok-patternspl	6	1329	January 24, 2022

Grok Pipeline only_named_captures

Related topics