Hi,
I have a log that looks like this.
2020-10-19 20:24:58 ## key:value, key2:value2, key3:value3
## separates the timestamp and actual message (key/value pairs).
key should be stored as fieldname.
value should be stored as the field value.
key/value pairs are separated by comma.
so far, i’ve only managed to use split & index extractor type to separate timestamp & actual message.
i’m not sure how i can separate the key/value pairs further with comma.
Hi,
found the solution with grok patterns,
%{DATA:timestamp;string} ## %{DATA:key;string}, key2:%{DATA:key2;long}
congrats on figuring it out yourself.
As you get more comfortable with them, be sure to check out the built-in extractors for things like timestamps, IP addresses, URIs, etc. You also don’t have to type cast DATA as a string, that is how the data is stored be default for that Extractor.
Also be aware, there is the possibility of unintended results in your extractor.
after the ## you missed the “key:” part of the pattern and since you are extracting DATA, you will end up storing “key:value” in the key field as opposed to just “value”.
Be sure to read up on the documentation and if you don’t have a test system, set yourself up a test input and Index that you can play with.
https://docs.graylog.org/en/4.0/pages/extractors.html#using-grok-patterns-to-extract-data
A Grok Debugger is helpful too…
http://grokdebug.herokuapp.com/
good luck
thank you! i did miss out the “key:” part of the pattern.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
