-
Notifications
You must be signed in to change notification settings - Fork 24
Grok Processor
Naama Bendalak edited this page Aug 1, 2024
·
12 revisions
This processor allows you to extract fields from a string field using GROK expressions which are made up of GROK patterns. You can find the build in grok patterns here. You can learn about grok and test your expressions on Grok Debugger.
- field
- patterns [array]
- overwrite [array] (optional)
- ignoreMissing [boolean default = true means that if the field is missing this is considered successful] (optional)
Log sample
2021-06-21T20:19:40.45+01:00 DEBUG This should be a log sample
{
"steps": [
{
"grok": {
"config": {
"field": "message",
"overwrite": [
"message"
],
"patterns": [
"^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:logLevel} %{GREEDYDATA:message}$"
]
}
}
}
]
}
Log sample
128.39.24.23 - - [25/Dec/2021:12:16:50 +0000] "GET /category/electronics HTTP/1.1" 200 61 "/category/finance" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"
{
"steps": [
{
"grok": {
"config": {
"field": "message",
"patterns": [
"^%{IP:ip} - - \\[%{HTTPDATE:timestamp}\\] \"%{WORD:verb} %{DATA:request}\" %{NUMBER:status} %{NUMBER:bytes} \"%{DATA:referrer}\"%{DATA}\\(%{WORD};%{DATA}; %{WORD:os}"
]
}
}
}
]
}
- Home
-
Pipelines
-
Processors
- Add Field Processor
- Add Tag Processor
- AhoCorasick Processor
- Anonymize Processor
- Append List Processor
- Arrays Intersect Processor
- Base64 Decode Processor
- Convert Processor
- CSV Processor
- Date Processor
- Drop Processor
- External Mapping Source Processor
- GeoIP Processor
- Grok Processor
- JSON Processor
- Key Value Processor
- LowerCase Processor
- Math Processor
- Remove Field Processor
- Remove Tag Processor
- Rename Field Processor
- Split Processor
- Strip Processor
- Substitue Processor
- Substring Processor
- Translate Processor
- UpperCase Processor
- User Agent Processor
- URL Decode Processor
- XML Processor
- DeDot Processor
- Doc Size Processor
- If statement
- Additional Commands
-
Processors