Skip to content

Latest commit

 

History

History
75 lines (52 loc) · 3.47 KB

ppl-grok-command.md

File metadata and controls

75 lines (52 loc) · 3.47 KB

PPL Correlation Command

Description

The grok command parses a text field with a grok pattern and appends the results to the search result.

Syntax

grok <field> <pattern>
  • field: mandatory. The field must be a text field.
  • pattern: mandatory string. The grok pattern used to extract new fields from the given text field. If a new field name already exists, it will replace the original field.

Grok Pattern

The grok pattern is used to match the text field of each document to extract new fields.

Example 1: Create the new field

The example shows how to create new field host for each document. host will be the host name after @ in email field. Parsing a null field will return an empty string.

PPL query:

os> source=accounts | grok email '.+@%{HOSTNAME:host}' | fields email, host ;
fetched rows / total rows = 4/4
+-----------------------+------------+
| email                 | host       |
|-----------------------+------------|
| [email protected]  | pyrami.com |
| [email protected] | netagy.com |
| null                  |            |
| [email protected]   | boink.com  |
+-----------------------+------------+

Example 2: Override the existing field

The example shows how to override the existing address field with street number removed.

PPL query:

os> source=accounts | grok address '%{NUMBER} %{GREEDYDATA:address}' | fields address ;
fetched rows / total rows = 4/4
+------------------+
| address          |
|------------------|
| Holmes Lane      |
| Bristol Street   |
| Madison Street   |
| Hutchinson Court |
+------------------+

Example 3: Using grok to parse logs

The example shows how to use grok to parse raw logs.

PPL query:

os> source=apache | grok message '%{COMMONAPACHELOG}' | fields COMMONAPACHELOG, timestamp, response, bytes ;
fetched rows / total rows = 4/4
+-----------------------------------------------------------------------------------------------------------------------------+----------------------------+------------+---------+
| COMMONAPACHELOG                                                                                                             | timestamp                  | response   | bytes   |
|-----------------------------------------------------------------------------------------------------------------------------+----------------------------+------------+---------|
| 177.95.8.74 - upton5450 [28/Sep/2022:10:15:57 -0700] "HEAD /e-business/mindshare HTTP/1.0" 404 19927                        | 28/Sep/2022:10:15:57 -0700 | 404        | 19927   |
| 127.45.152.6 - pouros8756 [28/Sep/2022:10:15:57 -0700] "GET /architectures/convergence/niches/mindshare HTTP/1.0" 100 28722 | 28/Sep/2022:10:15:57 -0700 | 100        | 28722   |
| 118.223.210.105 - - [28/Sep/2022:10:15:57 -0700] "PATCH /strategize/out-of-the-box HTTP/1.0" 401 27439                      | 28/Sep/2022:10:15:57 -0700 | 401        | 27439   |
| 210.204.15.104 - - [28/Sep/2022:10:15:57 -0700] "POST /users HTTP/1.1" 301 9481                                             | 28/Sep/2022:10:15:57 -0700 | 301        | 9481    |
+-----------------------------------------------------------------------------------------------------------------------------+----------------------------+------------+---------+

Limitations

The grok command has the same limitations as the parse command, see parse limitations for details.