Cribl LogStream – Docs

Cribl LogStream Documentation

Questions? We'd love to help you! Meet us in #Cribl Community Slack (sign up)
Download entire manual as PDF - v2.3.0

Grok

Description


The Grok Function extracts structured fields from unstructured log data, using modular regex patterns.

Usage


Filter: Filter expression (JS) that selects data to be fed through the Function. Defaults to true, meaning that all events will be evaluated.

Description: Optional description of this Function's purpose in this Pipeline. Defaults to empty.

Final: If toggled to Yes, stops data from being fed to downstream Functions. Defaults to No.

Pattern: Grok pattern to extract fields. Syntax supported: %{PATTERN_NAME:FIELD_NAME}.

Click + Add pattern to chain more patterns.

Source field: Field on which to perform Grok extractions. Defaults to _raw.

Management


You can add and edit Grok patterns via LogStream's UI by selecting Knowledge > Grok Patterns. Pattern files are located at: $CRIBL_HOME/(default|local)/cribl/grok-patterns/

Example


Example event:

{"_raw": "2020-09-16T04:20:42.45+01:00 DEBUG This is a sample debug log message"}`

Pattern: %{TIMESTAMP_ISO8601:event_time} %{LOGLEVEL:log_level} %{GREEDYDATA:log_message}
Source Field: _raw

Event after extraction:

{"_raw": "2020-09-16T04:20:42.45+01:00 DEBUG This is a sample debug log message",
  "_time": 1600226442.045,
  "event_time": "2020-09-16T04:20:42.45+01:00",
  "log_level": "DEBUG",
  "log_message": "This is a sample debug log message",
}

Note the new fields added to the event: event_time, log_level, and log_message.

References


Updated 7 days ago

Grok


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.