Grok
Grok is a wrapper around regular expression, which provide a set of ready-to-use patterns which compiles into a standard regular expression.
General syntax is:
%{<PATTERN>[:name][:rule,...]}
Where:
<PATTERN>
is a Grok pattern name[name]
is a field name, which defaults toPATTERN
[rule,...]
is one or more rule to apply to the extrated value
Comparison with Logstash's Grok filter
M42PL supports two additionals options:
name
can refer to a nested field, such asuser.name
- One or more
rule
can be added aftername
to post-process the parsed value
Example
Input:
userName="john" userID=42 action="login"
Grok expression:
userName="%{DATA:user.name}" userID=%{NUMBER:user.id:int} action="%{DATA:action.name}"
Result:
{
"user": {
"name": "john",
"id": 42
},
"action": {
"name": "login"
}
}
Patterns
The default patterns are available here: Repository
Pattern source
The author would like to inform that he copied the Grok patterns from the following repository some months ago, and did not manage to find back to original file to source it here: Repository
Rules
str
: Cast to a stringint
: Cast to an integerfloat
: Cast to a floatupper
: Convert to uppercaselower
: Convert to lowecaselist
: Convert to a list