1

I'm trying to extract a filed out of log line, i use http://grokdebug.herokuapp.com/ to debug my regular expression with:

(?<action>(?<=action=).*(?=\&))

with input text like this:

 /event?id=123&action={"power":"on"}&package=1

i was able to get result like this:

{
  "action": [
   "{"power":"on"}"
 ]
}

but when i copy this config to my logstash config file:

input { stdin{} }

filter {
  grok {
    match => { "message" => "(?<action>(?<=action=).*(?=\&))"}
  }
}

output { stdout {
  codec => 'json'
}}

the output says matching failed:

{"message":" /event?id=123&action={\"power\":\"on\"}&package=1","@version":"1","@timestamp":"2016-01-05T10:30:04.714Z","host":"xxx","tags":["_grokparsefailure"]}

i'm using logstash-2.1.1 in cygwin. any idea why this happen?

Gavin Huang
  • 177
  • 1
  • 12

2 Answers2

0

It doesn't answer your regexp question, but...

Parse the query string to a separate field and use the kv{} filter on it.

Alain Collins
  • 16,268
  • 2
  • 32
  • 55
  • Thank you for offer this approach, i tried to match the query string by %{URIPATH} but turns out it can't capture the string starts with "{" – Gavin Huang Jan 06 '16 at 01:28
  • The curly brace is allowed in URIPATH; it's the double-quote that's not part of that pattern. Use a different pattern. – Alain Collins Jan 06 '16 at 03:35
0

You might experience an issue caused by a greedy dot matching subpattern .*. Since you are only interested in a string of text after action= till next & or end of string you'd better use a negated character class [^&].

So, use

[?&]action=(?<action>[^&]*)

The [?&] matches either a ? or & and works as a boundary here.

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563