I'm using logstash to parse a value like:
|SERVLETSESSIONS=|
My bit to capture it is:
\|SERVLETSESSIONS=(?<servlet_sessions>[0-9]*)\|
I do not get an error, and all my other fields match, but I think I should get an empty value like "servlet_sessions" => "" in my stdout { codec => rubydebug } } but I do not have the servlet_sessions key there.
Any ideas?
I think you are looking for the keep_empty_captures parameter of the Grok filter configuration.
input { stdin { } }
filter {
grok {
keep_empty_captures => true
match => { "message" => "\|SERVLETSESSIONS=(?<servlet_sessions>[0-9]*)\|" }
}
}
output { stdout { codec => rubydebug } }
The above configuration results in the following output:
{
"message" => "|SERVLETSESSIONS=|",
"@version" => "1",
"@timestamp" => "2015-09-09T13:44:52.754Z",
"host" => "localhost",
"servlet_sessions" => ""
}