Regular expression to extract part of a file path using the logstash grok filter

regex logstash logstash-grok
flyasfish picture flyasfish · Nov 23, 2012 · Viewed 11.5k times · Source

I am new to regular expressions but I think people here may give me valuable inputs. I am using the logstash grok filter in which I can supply only regular expressions.

I have a string like this

/app/webpf04/sns882A/snsdomain/logs/access.log

I want to use a regular expression to get the sns882A part from the string, which is the substring after the third "/", how can I do that?

I am restricted to regex as grok only accepts regex. Is it possible to use regex for this?

Answer

CWoods picture CWoods · Mar 22, 2014

Yes you can use regular expression to get what you want via grok:

/[^/]+/[^/]+/(?<field1>[^/]+)/

Related questions

How to process multiline log entry with logstash filter?

Background: I have a custom generated log file that has the following pattern : [2014-03-02 17:34:20] - 127.0.0.1|ERROR| E:\xampp\htdocs\test.php|123|subject|The error message goes here ; array ( 'create' => array ( 'key1' => 'value1', 'key2' => …

Read More
GROK Parsing with regex

I am using the following regexes: INT (?:[+-]?(?:[0-9]+)) VALUE ([0-9]+) SPACE \s* DATA .*? USERNAME [a-zA-Z0-9._-]+ YEAR (?>\d\d){1,2} MONTHNUM (?:0?[1-9]|1[0-2]) MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) HOUR (?:2[0123]|[01]?[0-9]) MINUTE (?:[0-5][0-9]) SECOND (?:(?:[0-5][0-9]|60)) ISO8601_TIMEZONE (?:Z|[+…

Read More
How do I match a newline in grok/logstash?

I have a remote machine that combines multiline events and sends them across the lumberjack protocol. What comes in is something that looks like this: { "message" => "2014-10-20T20:52:56.133+0000 host 2014-10-20 15:52:56,036 [ERROR ][app.logic ] Failed to turn message …

Read More