Extractions

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください
Calculated Fields Extractions is in Preview

Use Calculated Fields Extractions to extract values from your logs in the Log Explorer at query time using Grok patterns.

Request Access

Overview

Calculated Fields Extractions lets you apply Grok parsing rules at query time in the Log Explorer. This makes it possible to extract values from raw log messages or attributes without modifying pipelines or re-ingesting data.

Syntax

Extraction fields use Grok patterns to identify and capture values from a log attribute. A Grok pattern is composed of one or more tokens in the form:

%{PATTERN_NAME:field_name}
  • PATTERN_NAME: A Grok matcher.
  • field_name: The name of the extracted calculated field.

You can chain multiple patterns together to parse complex log messages.

Supported matchers and filters at query time

Grok parsing features available at query-time (in the Log Explorer) support a limited subset of matchers (data, integer, notSpace, number, and word) and filters (number and integer) For long-term parsing needs, define a log pipeline.

Query-time Grok parsing in the Log Explorer supports a limited subset of matchers and filters. Each matcher or filter is used in a Grok pattern with the format:

%{MATCHER:field_name}

Matchers

MatcherExample Grok Pattern
DATA
Any sequence of characters (non-greedy)		status=%{DATA:status}
WORD
Alphanumeric characters		country=%{WORD:country}
NUMBER
Floating-point numbers		value=%{NUMBER:float_val}
INTEGER
Integer values		count=%{INTEGER:count}
NOTSPACE
Non-whitespace characters		path=%{NOTSPACE:request_path}

Filters

Apply filters to cast extracted values into numeric types. Filters use the same pattern syntax as matches.

FilterExample Grok Pattern
NUMBER
Parses numeric strings as numbers		latency=%{NUMBER:lat}
INTEGER
Parses numeric strings as integers		users=%{INTEGER:user_count}

Example

Use this feature to analyze log fields on-demand without modifying your ingestion pipeline. Log line:

country=Brazil duration=123ms path=/index.html status=200 OK

Extraction grok rule:

country=%{WORD:country} duration=%{INTEGER:duration} path=%{NOTSPACE:request_path} status=%{DATA:status}

Resulting calculated fields:

  • #country = Brazil
  • #duration = 123
  • #request_path = /index.html
  • #status = 200 OK

Further reading

お役に立つドキュメント、リンクや記事:

Learn more about Calculated FieldsDOCUMENTATION more more