Grok Processor - logzio/sawmill GitHub Wiki

Grok [grok]

This processor allows you to extract fields from a string field using GROK expressions which are made up of GROK patterns. You can find the build in grok patterns here. You can learn about grok and test your expressions on Grok Debugger.

field
patterns [array]
overwrite [array] (optional)
ignoreMissing [boolean default = true means that if the field is missing this is considered successful] (optional)

Examples

Log sample

2021-06-21T20:19:40.45+01:00 DEBUG This should be a log sample

{
  "steps": [
    {
      "grok": {
        "config": {
          "field": "message",
          "overwrite": [
            "message"
          ],
          "patterns": [
            "^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:logLevel} %{GREEDYDATA:message}$"
          ]
        }
      }
    }
  ]
}

Log sample

128.39.24.23 - - [25/Dec/2021:12:16:50 +0000] "GET /category/electronics HTTP/1.1" 200 61 "/category/finance" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)"

{
  "steps": [
    {
      "grok": {
        "config": {
          "field": "message",
          "patterns": [
            "^%{IP:ip} - - \\[%{HTTPDATE:timestamp}\\] \"%{WORD:verb} %{DATA:request}\" %{NUMBER:status} %{NUMBER:bytes} \"%{DATA:referrer}\"%{DATA}\\(%{WORD};%{DATA}; %{WORD:os}"
          ]
        }
      }
    }
  ]
}