Help with Grok Pattern extractor

Hi all,

I’m trying to extract database names from our log messages using Grok pattern extractor on that field. Our database names end with a “_v” and the path in the log looks something like this:
/sys/hadp/apollo/metadata_v/snapshot...
Here, “metadata_v” is the string that I’m trying to extract in order to use it as a key in my lookup table.

I’m just learning Grok and this is what I was able to come up with for achieving this:
%{GREEDYDATA:prefix}/%{GREEDYDATA:table}_v/%{GREEDYDATA:postfix}

but this returns table: “metadata” instead of “metadata_v”
Could anyone please tell me if there is a way to extract the whole string after the preceding “/” until “_v” so I can get the whole table name?
Your help would be really appreciated!

Thanks,
Swarna

Hi Swarna,

you can create a new grok pattern for your tablename format, probably something like this:

TABLENAME with [a-z_]+_v

And change your extracting grok to:

%{GREEDYDATA:prefix}/%{TABLENAME:table}/%{GREEDYDATA:postfix}

Then it will capture also the _v

Hope that helps
jrunu

1 Like

That worked. Thanks a lot for your help @jrunu !

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.