How can I grok a matched pattern into multiple field names?
Is it possible to parse and assign a matched pattern twice with Grok?
Minimal, Complete, Verifiable Example
Take this log line:
09/26/2019 Keith Miklas
Apply this grok filter:
%{DATE:date}\s*%{WORD:first_name}\s*%{WORD:last_name}
This yields:
{
"date": [
[
"09/26/2019"
]
],
"first_name": [
[
"Keith"
]
],
"last_name": [
[
"Miklas"
]
]
}
What I need is a grok filter something like this:
%{DATE:date}\s*%{WORD:first_name,fn}\s*%{WORD:last_name,ln}
%{DATE:date}\s*%{WORD:first_name&fn}\s*%{WORD:last_name&ln}
%{DATE:date}\s*%{WORD:first_name|fn}\s*%{WORD:last_name|ln}
Yielding this:
{
"date": [
[
"09/26/2019"
]
],
"first_name": [
[
"Keith"
]
],
"fn": [
[
"Keith"
]
],
"last_name": [
[
"Miklas"
]
],
"ln": [
[
"Miklas"
]
]
}
You may wrap the parts you need with named capturing groups:
%{DATE:date}\s*(?<fn>%{WORD:first_name})\s*(?<ln>%{WORD:last_name})
^^^^^^ ^ ^^^^^^ ^
Output:
{
"date": [
[
"09/26/2019"
]
],
"fn": [
[
"Keith"
]
],
"first_name": [
[
"Keith"
]
],
"ln": [
[
"Miklas"
]
],
"last_name": [
[
"Miklas"
]
]
}