Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to effectively apply multiple parsers with parse_groks and parse_regex #246

Closed
dss010101 opened this issue May 16, 2023 · 1 comment
Closed

how to effectively apply multiple parsers with parse_groks and parse_regex #246

dss010101 opened this issue May 16, 2023 · 1 comment

Comments

@dss010101
Copy link

Hi,
i have logs that can look like shown below. There could be other variations.
I'd like to parse these, and in the case where there is a pattern 'app_id:<some_id>', also parse that out.

[2023-05-15 11:52:29,401][2555:140431094425152][INFO][app_service.run] initalizing application
[2023-05-15 11:53:29,401][2555:140431094425152][INFO][app_service.run] app_id:my_app_12345 initialized.
[2023-05-15 11:54:29,401][2555:140431094425152]INFO:app_service: request recieved with args...

I've tried parse_groks, with some success..but for some reason parsing the run_id does not seem to work for me:

source = '''
    . |= parse_groks!(
            .message, 
            patterns:[
                "\\[%{TIMESTAMP_ISO8601:log_time}\\]\\[%{INT:pid}:%{INT:tid}\\]\\[%{WORD:severity}\\]\\[%{WORD:module}.%{WORD:func}\\] %{GREEDYDATA:msg}",
                "\\[%{TIMESTAMP_ISO8601:log_time}\\]\\[%{INT:pid}:%{INT:tid}\\]\\[%{WORD:severity}\\]\\[%{WORD:module}.%{WORD:func}\\] app_id:%{NOTSPACE:app_id} %{GREEDYDATA:msg}",
                "\\[%{TIMESTAMP_ISO8601:log_time}\\]\\[%{INT:pid}:%{INT:tid}\\]%{WORD:severity}:%{WORD:module}:%{GREEDYDATA:msg}"
            ]
    )
'''

Also read that grok internally uses regex, so thought maybe it would be more efficient to use regex as id be removing one layer...but cant find much documentation or examples on how to do multiple parsing or 'sub-parsing' of fields. Tried below, where the first part by itself works, but i am not then able to split the .msg field into app_id and the actual message. that throws the exception: "this expression must resolve to an object"

source = '''
    . |= parse_regex!(
                .message, 
                pattern: r'^\[(?P<log_time>.+)\]\[(?P<pid>\d+):(?P<tid>\d+)\]\[(?P<severity>\w+)\]\[(?P<module>\w+)\.(?P<func>\w+)\] (?P<msg>.*$)'
        )
    .msg |= parse_regex!(
                .msg, 
                pattern: r'^.+app_id:(?P<app_id>\w+) (?P<msg>.*)$'
        )

'''

Any help on trying to get this right is appreciated...
@dss010101 dss010101 mentioned this issue May 16, 2023
Open
@jszwedko
Copy link
Member

This appears to be the same as vectordotdev/vector#17397 so I'll close this one as the other is older and already has a response on it.

@jszwedko jszwedko closed this as not planned Won't fix, can't repro, duplicate, stale May 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jszwedko @dss010101