In Logstash how to extract substring in a bigger string?

Question

Feeling difficulty in writing grok patterns.Please help

I have GetIndicatorsByAnalysisProcessIDServlet service method is called and in this how to extract only GetIndicatorsByAnalysisProcess and text GetIndicatorsByAnalysisProcess will not be same

Here challenging i felt is truncating string from backward direction

i followed up

grok {
  match => ["destinationid", "(?<fieldname>discard.{7})"]
}

it high-lets considering number of characters from start

score 1 · Answer 1 · answered Feb 28 '17 at 16:49

1

If I understand you correctly, you need to have the first word in a variable. This is achievable via

(?<fieldname>[^\s]*)\s*

with sample output from it

{
  "fieldname": [
    [
      "GetIndicatorsByAnalysisProcessIDServlet"
    ]
  ]
}

In case you have various beginnings with optional spaces but an exactly same ending of the sentence, the effective regexp will be different.

answered Feb 28 '17 at 16:49

doz10us

765
7
17

i want to extract only GetIndicatorsByAnalysisProcessID from 'GetIndicatorsByAnalysisProcessIDServlet service method is called' and 'GetIndicatorsByAnalysisProcessID ' can vary like GetIndicatorsByPricingDate that need to extract before servlet 'GetIndicatorsByAnalysisProcessIDServlet service method is called' – Nagappa L M Mar 01 '17 at 07:18

In Logstash how to extract substring in a bigger string?

1 Answers1