Login/Register
Using multiple grok pattern to assign value to 1 field
Asked Answered
grok
W

1

7

My question is regarding how to use Grok pattern.

I am aware that a given existing Grok pattern, I can use the following syntax to assign the values to a field:

%{DATESTAMP_RFC822:timestamp}

I also know that I can create my own custom pattern and use it with patternsDir field.

My question is if I can use the combination of Grok pattern to parse and assign the value to a field?

For example, here is the 'definition' of the DATESTAMP_RFC822 pattern:

DATESTAMP_RFC822 = %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}

If I don't want %{TZ} as a part of the pattern, how do I use the rest of the pattern to parse and assign timestamp? Something similar to ...

?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}

I know the above doesn't work. But I hope it is clear what I want to achieve.

Warmup answered 30/11, 2016 at 22:57 Comment(0)
W
10

Just found the answer. My last attempt was actually correct. 

?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}

I just needed to add opening and closing '(' to make it work. 

(?<timestamp>%{MONTH}/%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}))
Warmup answered 1/12, 2016 at 20:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.