Skip to content
ignacio-alorre edited this page Nov 24, 2020 · 9 revisions

It is a filter for parsing unstructured data into structured data

It uses regular expressions to match patterns in the input

Inside the Grok block, there's a match block that has a message, which is the parameter that will contain any incoming data in its raw form

The value of that message in our filter block is where we define what each bit of data is called and what data pattern to match

In the example of the video [reference to later add images] The first word is IP, which matches the first part of the log line (an IP address). The match block has IP:c so Grok will assign that value to the key c in the structured data at outputs. The next matches a WORD and we'll assign to m for method.

img

Mutate is another plugin you are likely to be using to filter data. It's very versatile because it lets you do various transformations of the data. So with this filter block, there's a Grok filter to get the data tag correctly, and then a mutate block to operate on the results.

img

This website will help us in building a Grok Constructor:

http://grokconstructor.appspot.com/

Clone this wiki locally