0

I'm trying to clear up a log entry within an ELK stack using grok. I have the following text to still tackle:

/mnt/drive/fish/Cap Camel/Indigo - [Fair Game].jpg (34523) [2,0,34523,0,0,2,2]
/mnt/drive/fish/Cap Camel/Indigo - [Fair Game].jpg
/mnt/drive/fish/Cap Camel (1358)/Indigo - [Fair Game].jpg

I want the path but it contains spaces, caps and special characters etc?

Thanks

Improve this question
7
  • Try ^(?<file>(?:/[^/]+)+\.jpg) Commented Jan 3, 2017 at 23:26
  • I should've been clear, the files aren't always jpg, could be any extension. The path in effect ends with the first ( Commented Jan 3, 2017 at 23:27
  • Then try ^(?<file>.*?)\s*\(, if the file path goes until whitespaces + ( right after. Commented Jan 3, 2017 at 23:29
  • Works well, however I've discovered that some entries the path is the last item after all (no bracketed elements after). Is it possible to attempt two pattern matches? Commented Jan 3, 2017 at 23:56
  • I've updated the examples. Thanks for all your help. Commented Jan 4, 2017 at 0:01

1 Answer 1

Reset to default
1

Since your third example contains " (", we can't use that to spot the change in the first line.

The only think that seems to tie these lines together is the ".jpg". You said that it may not always be jpg, but hopefully they all have suffixes.

With that assumption - and also that the path itself doesn't contain any periods, this pattern works in the debugger:

(?<file>[^\.]*\.[^ ]*)

"Anything that is not a period, followed by a period, followed by anything that is not a space".

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for all your help. In the end used more than one if your solutions by using the _grokparsefailure tag to fix items not matched by grok.
I'm not a fan of using GPFs for logic control. You can put multiple patterns in the same grok.
I might explore that approach, thanks for the heads up. Will help trim the configuration a little.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.