How to combine characters to create custom pattern in GROK

Question

I'm new to logstash and grok and have a question regarding a pattern.

Jul 26 09:46:37

The above content contains %{MONTH} %{MONTHDAY} %{TIME} and white spaces.

I need to know how to combine all these and create a pattern %{sample_timestamp}

Thanks!

score 7 · Accepted Answer · answered Jul 27 '16 at 14:29

Quotes from the Grok Custom Patterns Docs (RTFM):

First, you can use the Oniguruma syntax for named capture which will let you match a piece of text and save it as a field:
(?<field_name>the pattern here)
...

Alternately, you can create a custom patterns file.

Create a directory called patterns with a file in it called extra (the file name doesn’t matter, but name it meaningfully for yourself)

In that file, write the pattern you need as the pattern name, a space, then the regexp for that pattern.

So you could create a pattern file that contained the line:

CUST_DATE %{MONTH} %{MONTHDAY} %{TIME}

Then use the patterns_dir setting in this plugin to tell logstash where your custom patterns directory is.

 filter {
   grok {
     patterns_dir => ["./patterns"]
     match => { "message" => "%{CUST_DATE:datestamp}" }
   }
 }

Would result in the field:

 datestamp => "Jul 26 09:46:37"

Is it not necessary to add `/s` for the white spaces for the pattern `CUST_DATE %{MONTH} %{MONTHDAY} %{TIME}` ? — Jerald Sabu M, Jul 29 '16 at 06:09

Thiago Falcao · Answer 2 · 2019-04-11T20:43:58.477

6

Filter

use pattern_definitions to define your patterns

filter {
  grok {
    pattern_definitions => { "MY_DATE" => "%{MONTH} %{MONTHDAY} %{TIME}" }
    match => { "message" => "%{MY_DATE:timestamp}" }
  }
}

Result

{
  "timestamp": "Jul 26 09:46:37"
}

Tested using Logstash 6.5

edited Apr 11 '19 at 20:43

answered Apr 10 '19 at 17:33

Thiago Falcao

4,463
39
34

How to combine characters to create custom pattern in GROK

2 Answers2

Filter

Result