0

I've noticed some people use the 3rd part in a grok matching predicate, like

%{NUMBER:response_status:int}
                          ^--- ??

It's obvious what first 2 mean, and I can guess that the 3rd one is an explicit type of the result, but I cannot find the comprehensive explanation of what that 3rd part is.

I checked in both Logstash documentation and in Grok's one and cannot see any traces of the comprehensive syntax description.

Any references?

UPD:

here is an example that it works and is syntactically correct:

For the config file:

input { stdin { } }

filter {
    grok {
        match => [
            "message", "%{NUMBER:a_number:float}"
        ]
    }
}

output { stdout { codec => rubydebug } }

The output for the 12345 is:

{
   "message" => "12345",
  "@version" => "1",
"@timestamp" => "2014-10-08T01:08:49.087Z",
      "host" => "logstash",
  "a_number" => 12345.0
}

If you remove :float then it changes to

{
   "message" => "12345",
  "@version" => "1",
"@timestamp" => "2014-10-08T01:09:46.055Z",
      "host" => "logstash",
  "a_number" => "12345"
}

This is true for at least logstash v1.4.2

zerkms
  • 249,484
  • 69
  • 436
  • 539
  • Can you provide where do you see people use 3 part in a grok? So far, I never see anyone use 3 part in logstash grok. – Ban-Chuan Lim Oct 08 '14 at 00:12
  • @BenLim for example here https://gist.githubusercontent.com/poolski/9911628/raw/postfix.grok (just a random result, not the one I use). And it really affects the result: the type of matched result is a string by default and changed to an integer with the given modifier. – zerkms Oct 08 '14 at 00:14
  • The 3 parts in grok is invalid in logstash. You can refer to here: https://github.com/elasticsearch/logstash/blob/v1.4.2/patterns/grok-patterns. So, I think logstash can't use 3 parts grok. – Ban-Chuan Lim Oct 08 '14 at 01:04
  • @BenLim: "The 3 parts in grok is invalid in logstas" --- it's not true. See the update to the question – zerkms Oct 08 '14 at 01:10
  • Sorry about that. Thanks for your mention. – Ban-Chuan Lim Oct 08 '14 at 03:10

2 Answers2

1

This is correct. All data are saved as a string by default. Optionally, there are two ways to coerce the type of data, with grok and mutate. This article explains this ... check out "coercing a data type in logstash" in http://www.elasticsearch.org/blog/little-logstash-lessons-part-using-grok-mutate-type-data/

evivasp
  • 31
  • 1
0

I was not attentive enough and the answer is on the http://logstash.net/docs/1.4.2/filters/grok page:

Optionally you can add a data type conversion to your grok pattern. By default all semantics are saved as strings. If you wish to convert a semantic’s data type, for example change a string to an integer then suffix it with the target data type. For example %{NUMBER:num:int} which converts the ‘num’ semantic from a string to an integer. Currently the only supported conversions are int and float.

zerkms
  • 249,484
  • 69
  • 436
  • 539