grok_rs

the grok_rs is a rust port of Elastic Grok processor, inspired by grok-go and grok

Usage

[dependencies]
grok-rs = "0.1.3"

Example

Only with default patterns

let grok = Grok::default();
let pattern = grok
    // USERNAME are defined in grok-patterns
    .compile("%{USERNAME}", false)
    .unwrap();
let result = pattern.parse("admin admin@example.com").unwrap();
println!("{:#?}", result);

the output is:

{
    "USERNAME": String(
        "admin",
    ),
}

With user-defined patterns

let mut grok = Grok::default();
grok.add_pattern("NAME", r"[A-z0-9._-]+");
let pattern = grok.compile("%{NAME}", false).unwrap();
let result = pattern.parse("admin").unwrap();
println!("{:#?}", result);

the output is:

{
    "NAME": String(
        "admin",
    ),
}

With named_capture_only is true

let grok = Grok::default();
let pattern = grok
    .compile("%{USERNAME} %{EMAILADDRESS:email}", true)
    .unwrap();
let result = pattern.parse("admin admin@example.com").unwrap();
println!("{:#?}", result);

the output is:

{
    "email": String(
        "admin@example.com",
    ),
}

With type

let mut grok = Grok::default();
grok.add_pattern("NUMBER", r"\d+");

let pattern = grok.compile("%{NUMBER:digit:int}", false).unwrap();
let result = pattern.parse("hello 123").unwrap();
println!("{:#?}", result);

the output is:

{
    "digit": Int(
        123,
    ),
}

Notice

grok_rs is based on regex crate, so lacks several features that are not known how to implement efficiently. This includes, but is not limited to, look-around and backreferences. In exchange, all regex searches in this crate have worst case O(m * n) time complexity, where m is proportional to the size of the regex and n is proportional to the size of the string being searched.

Elastic Grok compliance

This crate declares compatible with elastic grok patterns v8.14.0, which is tagged at 2024-06-05.