grok — parse a string using a grok pattern
grok(p: string, s: string) -> any
grok(p: string, s: string, definitions: string) -> any
The grok function parses a string s using grok pattern p and returns
a record containing the parsed fields. The syntax for pattern p
is %{pattern:field_name} where pattern is the name of the pattern
to match in s and field_name is the resultant field name of the capture
value.
When provided with three arguments, definitions is a string
of named patterns in the format PATTERN_NAME PATTERN each separated by newlines.
The named patterns can then be referenced in argument p.
The grok function by default includes a set of builtin named patterns that can be referenced in any pattern. The included named patterns can be seen here.
Parsing a simple log line using the builtin named patterns:
echo '"2020-09-16T04:20:42.45+01:00 DEBUG This is a sample debug log message"' |
zq -Z 'yield grok("%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}", this)' -
=>
{
timestamp: "2020-09-16T04:20:42.45+01:00",
level: "DEBUG",
message: "This is a sample debug log message"
}