Docs Home
elasticstack 0.11.15 published on Wednesday, Apr 23, 2025 by elastic
elasticstack.getElasticsearchIngestProcessorGrok
Explore with Pulumi AI
elasticstack 0.11.15 published on Wednesday, Apr 23, 2025 by elastic
Extracts structured fields out of a single text field within a document. You choose which field to extract matched fields from, as well as the grok pattern you expect will match. A grok pattern is like a regular expression that supports aliased expressions that can be reused.
This processor comes packaged with many reusable patterns.
If you need help building patterns to match your logs, you will find the Grok Debugger tool quite useful! The Grok Constructor is also a useful tool.
See: https://www.elastic.co/guide/en/elasticsearch/reference/current/grok-processor.html
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as elasticstack from "@pulumi/elasticstack";
const grok = elasticstack.getElasticsearchIngestProcessorGrok({
field: "message",
patterns: [
"%{FAVORITE_DOG:pet}",
"%{FAVORITE_CAT:pet}",
],
patternDefinitions: {
FAVORITE_DOG: "beagle",
FAVORITE_CAT: "burmese",
},
});
const myIngestPipeline = new elasticstack.ElasticsearchIngestPipeline("myIngestPipeline", {processors: [grok.then(grok => grok.json)]});
import pulumi
import pulumi_elasticstack as elasticstack
grok = elasticstack.get_elasticsearch_ingest_processor_grok(field="message",
patterns=[
"%{FAVORITE_DOG:pet}",
"%{FAVORITE_CAT:pet}",
],
pattern_definitions={
"FAVORITE_DOG": "beagle",
"FAVORITE_CAT": "burmese",
})
my_ingest_pipeline = elasticstack.ElasticsearchIngestPipeline("myIngestPipeline", processors=[grok.json])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/elasticstack/elasticstack"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
grok, err := elasticstack.GetElasticsearchIngestProcessorGrok(ctx, &elasticstack.GetElasticsearchIngestProcessorGrokArgs{
Field: "message",
Patterns: []string{
"%{FAVORITE_DOG:pet}",
"%{FAVORITE_CAT:pet}",
},
PatternDefinitions: map[string]interface{}{
"FAVORITE_DOG": "beagle",
"FAVORITE_CAT": "burmese",
},
}, nil)
if err != nil {
return err
}
_, err = elasticstack.NewElasticsearchIngestPipeline(ctx, "myIngestPipeline", &elasticstack.ElasticsearchIngestPipelineArgs{
Processors: pulumi.StringArray{
pulumi.String(grok.Json),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Elasticstack = Pulumi.Elasticstack;
return await Deployment.RunAsync(() =>
{
var grok = Elasticstack.GetElasticsearchIngestProcessorGrok.Invoke(new()
{
Field = "message",
Patterns = new[]
{
"%{FAVORITE_DOG:pet}",
"%{FAVORITE_CAT:pet}",
},
PatternDefinitions =
{
{ "FAVORITE_DOG", "beagle" },
{ "FAVORITE_CAT", "burmese" },
},
});
var myIngestPipeline = new Elasticstack.ElasticsearchIngestPipeline("myIngestPipeline", new()
{
Processors = new[]
{
grok.Apply(getElasticsearchIngestProcessorGrokResult => getElasticsearchIngestProcessorGrokResult.Json),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.elasticstack.ElasticstackFunctions;
import com.pulumi.elasticstack.inputs.GetElasticsearchIngestProcessorGrokArgs;
import com.pulumi.elasticstack.ElasticsearchIngestPipeline;
import com.pulumi.elasticstack.ElasticsearchIngestPipelineArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var grok = ElasticstackFunctions.getElasticsearchIngestProcessorGrok(GetElasticsearchIngestProcessorGrokArgs.builder()
.field("message")
.patterns(
"%{FAVORITE_DOG:pet}",
"%{FAVORITE_CAT:pet}")
.patternDefinitions(Map.ofEntries(
Map.entry("FAVORITE_DOG", "beagle"),
Map.entry("FAVORITE_CAT", "burmese")
))
.build());
var myIngestPipeline = new ElasticsearchIngestPipeline("myIngestPipeline", ElasticsearchIngestPipelineArgs.builder()
.processors(grok.applyValue(getElasticsearchIngestProcessorGrokResult -> getElasticsearchIngestProcessorGrokResult.json()))
.build());
}
}
resources:
myIngestPipeline:
type: elasticstack:ElasticsearchIngestPipeline
properties:
processors:
- ${grok.json}
variables:
grok:
fn::invoke:
function: elasticstack:getElasticsearchIngestProcessorGrok
arguments:
field: message
patterns:
- '%{FAVORITE_DOG:pet}'
- '%{FAVORITE_CAT:pet}'
patternDefinitions:
FAVORITE_DOG: beagle
FAVORITE_CAT: burmese
Using getElasticsearchIngestProcessorGrok
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getElasticsearchIngestProcessorGrok(args: GetElasticsearchIngestProcessorGrokArgs, opts?: InvokeOptions): Promise<GetElasticsearchIngestProcessorGrokResult>
function getElasticsearchIngestProcessorGrokOutput(args: GetElasticsearchIngestProcessorGrokOutputArgs, opts?: InvokeOptions): Output<GetElasticsearchIngestProcessorGrokResult>def get_elasticsearch_ingest_processor_grok(description: Optional[str] = None,
ecs_compatibility: Optional[str] = None,
field: Optional[str] = None,
if_: Optional[str] = None,
ignore_failure: Optional[bool] = None,
ignore_missing: Optional[bool] = None,
on_failures: Optional[Sequence[str]] = None,
pattern_definitions: Optional[Mapping[str, str]] = None,
patterns: Optional[Sequence[str]] = None,
tag: Optional[str] = None,
trace_match: Optional[bool] = None,
opts: Optional[InvokeOptions] = None) -> GetElasticsearchIngestProcessorGrokResult
def get_elasticsearch_ingest_processor_grok_output(description: Optional[pulumi.Input[str]] = None,
ecs_compatibility: Optional[pulumi.Input[str]] = None,
field: Optional[pulumi.Input[str]] = None,
if_: Optional[pulumi.Input[str]] = None,
ignore_failure: Optional[pulumi.Input[bool]] = None,
ignore_missing: Optional[pulumi.Input[bool]] = None,
on_failures: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
pattern_definitions: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
patterns: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
tag: Optional[pulumi.Input[str]] = None,
trace_match: Optional[pulumi.Input[bool]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetElasticsearchIngestProcessorGrokResult]func GetElasticsearchIngestProcessorGrok(ctx *Context, args *GetElasticsearchIngestProcessorGrokArgs, opts ...InvokeOption) (*GetElasticsearchIngestProcessorGrokResult, error)
func GetElasticsearchIngestProcessorGrokOutput(ctx *Context, args *GetElasticsearchIngestProcessorGrokOutputArgs, opts ...InvokeOption) GetElasticsearchIngestProcessorGrokResultOutput> Note: This function is named GetElasticsearchIngestProcessorGrok in the Go SDK.
public static class GetElasticsearchIngestProcessorGrok
{
public static Task<GetElasticsearchIngestProcessorGrokResult> InvokeAsync(GetElasticsearchIngestProcessorGrokArgs args, InvokeOptions? opts = null)
public static Output<GetElasticsearchIngestProcessorGrokResult> Invoke(GetElasticsearchIngestProcessorGrokInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetElasticsearchIngestProcessorGrokResult> getElasticsearchIngestProcessorGrok(GetElasticsearchIngestProcessorGrokArgs args, InvokeOptions options)
public static Output<GetElasticsearchIngestProcessorGrokResult> getElasticsearchIngestProcessorGrok(GetElasticsearchIngestProcessorGrokArgs args, InvokeOptions options)
fn::invoke:
function: elasticstack:index/getElasticsearchIngestProcessorGrok:getElasticsearchIngestProcessorGrok
arguments:
# arguments dictionaryThe following arguments are supported:
- Field string
- The field to use for grok expression parsing
- Patterns List<string>
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- Description string
- Description of the processor.
- Ecs
Compatibility string - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- If string
- Conditionally execute the processor
- Ignore
Failure bool - Ignore failures for the processor.
- Ignore
Missing bool - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - On
Failures List<string> - Handle failures for the processor.
- Pattern
Definitions Dictionary<string, string> - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- Tag string
- Identifier for the processor.
- Trace
Match bool - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- Field string
- The field to use for grok expression parsing
- Patterns []string
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- Description string
- Description of the processor.
- Ecs
Compatibility string - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- If string
- Conditionally execute the processor
- Ignore
Failure bool - Ignore failures for the processor.
- Ignore
Missing bool - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - On
Failures []string - Handle failures for the processor.
- Pattern
Definitions map[string]string - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- Tag string
- Identifier for the processor.
- Trace
Match bool - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field String
- The field to use for grok expression parsing
- patterns List<String>
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description String
- Description of the processor.
- ecs
Compatibility String - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if_ String
- Conditionally execute the processor
- ignore
Failure Boolean - Ignore failures for the processor.
- ignore
Missing Boolean - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on
Failures List<String> - Handle failures for the processor.
- pattern
Definitions Map<String,String> - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag String
- Identifier for the processor.
- trace
Match Boolean - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field string
- The field to use for grok expression parsing
- patterns string[]
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description string
- Description of the processor.
- ecs
Compatibility string - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if string
- Conditionally execute the processor
- ignore
Failure boolean - Ignore failures for the processor.
- ignore
Missing boolean - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on
Failures string[] - Handle failures for the processor.
- pattern
Definitions {[key: string]: string} - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag string
- Identifier for the processor.
- trace
Match boolean - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field str
- The field to use for grok expression parsing
- patterns Sequence[str]
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description str
- Description of the processor.
- ecs_
compatibility str - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if_ str
- Conditionally execute the processor
- ignore_
failure bool - Ignore failures for the processor.
- ignore_
missing bool - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on_
failures Sequence[str] - Handle failures for the processor.
- pattern_
definitions Mapping[str, str] - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag str
- Identifier for the processor.
- trace_
match bool - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field String
- The field to use for grok expression parsing
- patterns List<String>
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description String
- Description of the processor.
- ecs
Compatibility String - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if String
- Conditionally execute the processor
- ignore
Failure Boolean - Ignore failures for the processor.
- ignore
Missing Boolean - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on
Failures List<String> - Handle failures for the processor.
- pattern
Definitions Map<String> - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag String
- Identifier for the processor.
- trace
Match Boolean - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
getElasticsearchIngestProcessorGrok Result
The following output properties are available:
- Field string
- The field to use for grok expression parsing
- Id string
- Internal identifier of the resource
- Json string
- JSON representation of this data source.
- Patterns List<string>
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- Description string
- Description of the processor.
- Ecs
Compatibility string - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- If string
- Conditionally execute the processor
- Ignore
Failure bool - Ignore failures for the processor.
- Ignore
Missing bool - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - On
Failures List<string> - Handle failures for the processor.
- Pattern
Definitions Dictionary<string, string> - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- Tag string
- Identifier for the processor.
- Trace
Match bool - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- Field string
- The field to use for grok expression parsing
- Id string
- Internal identifier of the resource
- Json string
- JSON representation of this data source.
- Patterns []string
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- Description string
- Description of the processor.
- Ecs
Compatibility string - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- If string
- Conditionally execute the processor
- Ignore
Failure bool - Ignore failures for the processor.
- Ignore
Missing bool - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - On
Failures []string - Handle failures for the processor.
- Pattern
Definitions map[string]string - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- Tag string
- Identifier for the processor.
- Trace
Match bool - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field String
- The field to use for grok expression parsing
- id String
- Internal identifier of the resource
- json String
- JSON representation of this data source.
- patterns List<String>
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description String
- Description of the processor.
- ecs
Compatibility String - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if_ String
- Conditionally execute the processor
- ignore
Failure Boolean - Ignore failures for the processor.
- ignore
Missing Boolean - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on
Failures List<String> - Handle failures for the processor.
- pattern
Definitions Map<String,String> - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag String
- Identifier for the processor.
- trace
Match Boolean - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field string
- The field to use for grok expression parsing
- id string
- Internal identifier of the resource
- json string
- JSON representation of this data source.
- patterns string[]
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description string
- Description of the processor.
- ecs
Compatibility string - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if string
- Conditionally execute the processor
- ignore
Failure boolean - Ignore failures for the processor.
- ignore
Missing boolean - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on
Failures string[] - Handle failures for the processor.
- pattern
Definitions {[key: string]: string} - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag string
- Identifier for the processor.
- trace
Match boolean - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field str
- The field to use for grok expression parsing
- id str
- Internal identifier of the resource
- json str
- JSON representation of this data source.
- patterns Sequence[str]
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description str
- Description of the processor.
- ecs_
compatibility str - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if_ str
- Conditionally execute the processor
- ignore_
failure bool - Ignore failures for the processor.
- ignore_
missing bool - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on_
failures Sequence[str] - Handle failures for the processor.
- pattern_
definitions Mapping[str, str] - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag str
- Identifier for the processor.
- trace_
match bool - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
- field String
- The field to use for grok expression parsing
- id String
- Internal identifier of the resource
- json String
- JSON representation of this data source.
- patterns List<String>
- An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
- description String
- Description of the processor.
- ecs
Compatibility String - Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names. NOTE: Supported only starting from version of Elasticsearch 7.16.x.
- if String
- Conditionally execute the processor
- ignore
Failure Boolean - Ignore failures for the processor.
- ignore
Missing Boolean - If
trueandfielddoes not exist or isnull, the processor quietly exits without modifying the document - on
Failures List<String> - Handle failures for the processor.
- pattern
Definitions Map<String> - A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
- tag String
- Identifier for the processor.
- trace
Match Boolean - when true,
_ingest._grok_match_indexwill be inserted into your matched document’s metadata with the index into the pattern found inpatternsthat matched.
Package Details
- Repository
- elasticstack elastic/terraform-provider-elasticstack
- License
- Notes
- This Pulumi package is based on the
elasticstackTerraform Provider.
elasticstack 0.11.15 published on Wednesday, Apr 23, 2025 by elastic