Grok Pipeline only_named_captures

GTownson · March 13, 2018, 4:51pm

I have no idea how to only capture named grok patterns.

Here is my pipeline config:

rule “HourExtractor”
when
has_field(“TimeStamp”)
then
let Time = to_string($message.TimeStamp);
let Hour = grok(“%{DATA:UNWANTED}T%{NUMBER:Hour}%{DATA:UNWANTED}”, Time);
set_fields(Hour);
end

I have tried adding things such as: “, True” after “Time” and it won’t work at all, I’m sure it’s extremely simple, but I just can’t work it out and there aren’t many examples online.

Cheers,

G

GTownson · March 13, 2018, 5:07pm

Okay so it was just:

let Hour = grok("%{DATA:UNWANTED}T%{NUMBER:Hour}%{DATA:UNWANTED}", Time, true);

I must have tried about every other similar combination apart from just true.

jan · March 14, 2018, 7:24am

you could have also used:

let nexus = grok(pattern: "%{GROKPATTERNS}", value: message_field, only_named_captures: true);

To be more human readable.

system · March 28, 2018, 7:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK Extractor Timestamp Question Graylog Central (peer support)	16	1844	August 13, 2020
Unwanted Grok Fields Graylog Central (peer support) grok-patternspl	6	286	November 14, 2023
Extractor not showing all named fields with show named fields only Graylog Central (peer support)	3	1163	January 28, 2019
Grok Pattern Question Graylog Central (peer support)	3	347	October 7, 2021
How to get only certain data from grok/regex? Graylog Central (peer support) pipeline-rules , grok-patternspl	6	1417	August 26, 2022

Grok Pipeline only_named_captures

Related Topics