logstashlogstash-grok
grok have patterns to skip value
My grok patterns have problem skip value. Please help me to fix my patterns.
My value:
2013-02-28 09:57:56,SERVICEID|0863591797|topup|C00000001||10.0|20170110|N|aaa|bbb|ccc|aaaaabbb|ccccc|kkkkk|hhhhh
My grok pattern:
^%{TIMESTAMP_ISO8601:timestamp}\,%{WORD:SERVICE}\|%{WORD:MSISDN}\|%{WORD:RULEID}\|%{WORD:CAMPCODE}\|(?:.*|%{WORD:CURRENT})\|(?<EVENTVALUE>(?:%{BASE10NUM}))\|%{WORD:EVNETDTTM}\|%{WORD:NEXTWAVE}\|%{GREEDYDATA:NAMEVALUEPAIR}
EVENTVALUE should be 10.0 but can't this value after parsing '20170110' and EVNETDTTM is 'N'
Solution
I'n not sure what you're trying to achieve but following grok expression should match your message:
%{TIMESTAMP_ISO8601:timestamp}\,%{WORD:SERVICE}\|%{WORD:MSISDN}\|%{WORD:RULEID}\|%{WORD:CAMPCODE}\|\|%{NUMBER:CURRENT}\|%{WORD:EVNETDTTM}\|%{WORD:NEXTWAVE}\|%{GREEDYDATA:NAMEVALUEPAIR}
Results on https://grokconstructor.appspot.com:
Edit: If the two backslashes mean that there might be an optional value in between there you could use the following pattern:
%{TIMESTAMP_ISO8601:timestamp}\,%{WORD:SERVICE}\|%{WORD:MSISDN}\|%{WORD:RULEID}\|%{WORD:CAMPCODE}\|(%{WORD:CURRENT})?\|%{NUMBER:EVNETDTTM}\|%{WORD:NEXTWAVE}\|%{GREEDYDATA:NAMEVALUEPAIR}
(%{WORD:CURRENT})? means that CURRENT will be optional, see this question for more details.
New results:
