2

Good evening guys!

I wrote a pattern that catches resource:

X-ray Tracing ID : Root=%{DATA:resource}

In the log excerpt below:

(d9be2aec-d683-4d9b-8d3c-428f1f339416) X-ray Tracing ID : Root=1-612dd69a-4b2951db368113005fb367ce

However, I am considering a case when an additional fragment after @ appears in the logs, which I would not like to take into account:

(d9be2aec-d683-4d9b-8d3c-428f1f339416) X-ray Tracing ID : Root=1-612dd69a-4b2951db368113005fb367ce@12345678998765

This is where the grok works that I wrote:

X-ray Tracing ID : Root=%{DATA:resource}[^@]*

And how to combine these two cases? Similar syntax, except that if @ appears we do not take into account the rest, and if it does, and if it does not, we take all of it?

I am a beginner in grok patterns so would appreciate a tip.

Ryszard Czech
  • 18,032
  • 4
  • 24
  • 37
Dawid
  • 23
  • 3

1 Answers1

1

If you check the Grok patterns, you will see DATA .*?. If your pattern ends with this construct, it won't match anything as lazy patterns at the end of regex never consume any text.

I suggest matching all chars other than whitespace and @ here with (?<resource>[^[:space:]@]+) rather than using the DATA pattern:

X-ray Tracing ID : Root=(?<resource>[^[:space:]@]+)

See the test screenshot:

enter image description here

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
  • Thanks Wiktor, Indeed, a good idea, now wondering how to get rid of the @ ending if it shows up (and doesn't always show up) I'm looking for a pattern that would satisfy these two cases – Dawid Sep 23 '21 at 20:18
  • @Dawid That was not actually clear, I thought you wanted to get the rest of the chars after `Root=`. So, you need a custom pattern, `X-ray Tracing ID : Root=(?[^[:space:]@]+)` – Wiktor Stribiżew Sep 23 '21 at 20:23