Skip to Content
Process and transform dataParse semi-structured data with GrokSupported Grok transformers

The Grepr Grok parser: Supported transformers

Transformers are included in a Grok rule to convert matched values before adding them to output log events. This page provides a reference for the comprehensive set of transformers supported by the Grok parser in the Grepr platform.

Type conversion transformers

number: Parses the matched value as a double-precision floating point number.

%{data:value:number}
# Input:  "123.45"
# Output: {"value": 123.45}

integer: Parses the matched value as an integer number.

%{data:count:integer}
# Input:  "42"
# Output: {"count": 42}

boolean: Parses true and false strings as booleans, ignoring case.

%{data:is_active:boolean}
# Input:  "True"
# Output: {"is_active": true}

String transformers

lowercase: Converts the matched value to lowercase.

%{word:username:lowercase}
# Input:  JohnDoe
# Output: {"username": "johndoe"}

uppercase: Converts the matched value to uppercase.

%{word:status:uppercase}
# Input:  active
# Output: {"status": "ACTIVE"}

Data parsing transformers

json: Parses a properly formatted JSON string into a JSON object.

%{data:metadata:json}
# Input:  {"key": "value", "count": 42}
# Output: {"metadata": {"key": "value", "count": 42}}

keyvalue([separatorStr[, characterAllowList[, quotingStr[, delimiter]]]]): Parses key-value pairs from strings into structured attributes.

See The key-value transformer.

useragent([decodeuricomponent:true/false]): Parses a user-agent string and returns a JSON object containing device, operating system, and browser information.

Parameters:

  • decodeuricomponent: If set to true, URL-decodes the user-agent string before parsing (default: false)

Output structure:

{
  "userAgent": {
    "family": "Chrome",
    "major": "120",
    "minor": "0",
    "patch": "0"
  },
  "os": {
    "family": "Mac OS X",
    "major": "10",
    "minor": "15",
    "patch": "7"
  },
  "device": {
    "family": "Mac"
  }
}

Example:

%{data:user_agent_info:useragent}
# Input:  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# Output: {"user_agent_info": {"userAgent": {"family": "Chrome", "major": "120", ...}, "os": {...}, "device": {...}}}

Value transformers

scale(factor): Multiplies the matched numeric value by the specified factor.

Parameters:

  • factor: The multiplication factor

Examples:

# Convert bytes to kilobytes
%{number:size_kb:scale(0.001)}
# Input:  1024
# Output: {"size_kb": 1.024}
 
# Convert milliseconds to seconds
%{number:duration_seconds:scale(0.001)}
# Input:  5000
# Output: {"duration_seconds": 5}
 
# Convert percentage to decimal
%{number:ratio:scale(0.01)}
# Input:  75
# Output: {"ratio": 0.75}

isoDateTimeToMillis: Converts an ISO 8601 formatted date-time string to milliseconds since epoch.

Example:

%{data:timestamp:isoDateTimeToMillis}
# Input:  2024-03-15T14:30:45Z
# Output: {"timestamp": 1710512445000}
# Input:  2024-03-15T14:30:45.123Z
# Output: {"timestamp": 1710512445123}

The key-value transformer

The keyvalue transformer parses key-value pairs from strings into structured attributes. For example, user=john email=john@example.com becomes {"user": "john", "email": "john@example.com"}.

Syntax: keyvalue([separatorStr[, characterAllowList[, quotingStr[, delimiter]]]])

Parameters:

  • separatorStr: Character between key and value (default: =).
  • characterAllowList: Additional characters allowed in unquoted values beyond \w.-_@.
  • quotingStr: Custom quote pairs as opening and closing character pairs (default: <>, "", '').
  • delimiter: Separator between key-value pairs (default: , ,, ;).

When you use the keyvalue transformer:

  • Empty values (key=) and null values (key=null) are skipped.
  • If there’s a duplicate key in the input to the keyvalue transformer, the value that’s added to the output attributes is from the last occurrence of the key.
  • Whitespace around separators is ignored.
  • To include special characters like / or : in values, add them to characterAllowList.

Examples:

# Basic usage with default separator
%{data::keyvalue}
# Input:  user=john email=john@example.com
# Output: {"user": "john", "email": "john@example.com"}
 
# Custom separator
%{data::keyvalue(":")}
# Input:  user:john email:john@example.com
# Output: {"user": "john", "email": "john@example.com"}
 
# Character allowlist for special characters
%{data::keyvalue("=", "/:@")}
# Input:  path=/home/user email=test@example.com
# Output: {"path": "/home/user", "email": "test@example.com"}
 
# Custom delimiter
%{data::keyvalue("=", "", "", "|")}
# Input:  key1=value1|key2=value2
# Output: {"key1": "value1", "key2": "value2"}
 
# Custom quote pairs
%{data::keyvalue(":=", "", "{}")}
# Input:  key:={value with spaces}
# Output: {"key": "value with spaces"}
 
# Multiple delimiters
%{data::keyvalue}
# Input:  user=john, email=john@example.com; role=admin
# Output: {"user": "john", "email": "john@example.com", "role": "admin"}
Last updated on
Datadog-compatible matchersTransform messages into JSON objects