Pipeline grok pattern UPPER CASE processing vars

geosone · February 28, 2018, 1:15pm

i have created an pipeline rule to parse the custom apache logs

rule "apache smsat"
when
 has_field("message") 
then
  // grok the message field
  let message_field = to_string($message.message);
  let parsed_fields = grok(pattern: "%{HOSTNAME:requestdomain} %{COMBINEDAPACHELOG}", value: message_field);
  set_fields(parsed_fields);
end

but the created fields also contain the processing field names like

BASE10NUM COMBINEDAPACHELOG COMMONAPACHELOG HOUR INT IP IPV4 MINUTE MONTH MONTHDAY QUOTEDSTRING SECOND TIME USER USERNAME YEAR

what am i doing wrong or how to get rid of these

jochen · February 28, 2018, 1:22pm

You have to tell the grok() function to only use named captures.

system · March 14, 2018, 1:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
3.1 pipeline help Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	2	785	September 6, 2019
Pipeline Grok function errors Graylog Central (peer support) pipeline-rules , route-to-streampl	8	1563	October 24, 2018
GROK pattern name and {} on the new created field Graylog Central (peer support)	2	724	February 1, 2019
Receiving messages are stopping when running set_fields in pipeline Graylog Central (peer support) pipeline-rules , grok-patternspl	2	408	April 14, 2022
Grok Pipeline only_named_captures Graylog Central (peer support)	3	1969	March 28, 2018

Pipeline grok pattern UPPER CASE processing vars

Related topics