I have to use zero-length regexp in Grok pattern.
I've tested it in online grok constructor. It works.
But the same pattern doesn't work in my docker container. I've tested in Logstash v6.6.1, v7.3.0.
I've also tried a different regexp: .{0}, ^$.
Example of the log:
17:16:09,691 INFO blablabla
The Logstash pattern
%{TIME:time} %{LOGLEVEL:severity} %{GREEDYDATA:message}(?<zero_length_field>())
Grok constructor results. It is expected
MATCHED
time 17:16:09,691
severity INFO
message blablabla
zero_length_field
Stdout results in a docker container
"severity" => "info",
"time" => 17:16:09,691
"version" => "0.3.0",
"message" => " blablabla",
You need to set keep_empty_captures to true as by default, it is set to false:
keep_empty_captures
- Value type is boolean
- Default value isfalse
Iftrue, keep empty captures as event fields.
So, use
grok {
keep_empty_captures => true
match => { "message" => "%{TIME:time} %{LOGLEVEL:severity} %{GREEDYDATA:message}(?<zero_length_field>)"}
}