Pattern Matching
Use the extract action for extracting fields with regular expressions.
Simple Pattern Match
name: example-pattern-match
input:
echo:
json: true
event: |
{"_raw": "09:07:36 up 16 min, 1 user, load average: 0.08, 0.23, 0.31"}
actions:
- extract:
# on which field to perform the matching
input-field: _raw
# whether to remove the input field
remove: true
# the regex pattern
pattern: 'load average: (\S+), (\S+), (\S+)'
# map capture groups to new output fields
output-fields:
- m1
- m5
- m15
output:
print: STDOUT
# output:
# {
# "m1": "0.08",
# "m5": "0.23",
# "m15": "0.31",
# }
Match with Conversion
name: example-pattern-match-2
input:
echo:
json: true
event: |
{"_raw": "09:07:36 up 16 min, 1 user, load average: 0.08, 0.23, 0.31"}
actions:
- extract:
# on which field to perform the matching
input-field: _raw
# whether to remove the input field
remove: true
# the regex pattern
pattern: 'load average: (\S+), (\S+), (\S+)'
# specify type conversion and output field mapping
convert:
- m1: num
- m5: num
- m15: num
output:
print: STDOUT
# output:
# {
# "m1": 0.08,
# "m5": 0.23,
# "m15": 0.31,
# }
Replace by Pattern
Use the extract feature of the raw action for pattern-based search and replace on a particular field.
name: example-replace
input:
echo:
json: true
event: |
{"_raw": "09:07:36 up 16 min, 1 user, load average: 0.08, 0.23, 0.31"}
actions:
- raw:
extract:
input-field: _raw
pattern: '.*up (\d+) (\w+).*'
replace: $1 $2
output:
print: STDOUT
# output:
# {
# "_raw": "16 min"
# }