Grok Parser Transform

The Vector grok_parser transform accepts and outputs log events, allowing you to parse a log field value with Grok.


# General
type = "grok_parser" # required
inputs = ["my-source-or-transform-id"] # required
drop_field = true # optional, default
field = "message" # optional, default
pattern = "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}" # required
# Types
types.status = "int" # example
types.duration = "float" # example
types.success = "bool" # example
types.timestamp = "timestamp|%F" # example
types.timestamp = "timestamp|%a %b %e %T %Y" # example
types.parent.child = "int" # example
  • boolcommonoptional


    If true will drop the specified field after parsing.

    • Default: true
    • View examples
  • stringcommonoptional


    The log field to execute the pattern against. Must be a string value. See Field Notation Syntax for more info.

    • Default: "message"
    • View examples
  • stringcommonrequired


    The Grok pattern

    • No default
    • View examples
  • tablecommonoptional


    Key/value pairs representing mapped log field names and types. This is used to coerce log fields into their proper types.

    • stringenumcommonoptional


      A definition of log field type conversions. They key is the log field name and the value is the type. strptime specifiers are supported for the timestamp type.

      • No default
      • Enum, must be one of: "bool" "float" "int" "string" "timestamp"
      • View examples

How It Works

Available Patterns

Vector uses the Rust grok library. All patterns listed here are supported. It is recommended to use maintained patterns when possible since they will be improved over time by the community.

Complex Processing

If you encounter limitations with the grok_parser transform then we recommend using a runtime transform. These transforms are designed for complex processing and give you the power of full programming runtime.


We recommend the Grok debugger for Grok testing.

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

Field Notation Syntax

The field options support Vector's field notation syntax, enabling access to root-level, nested, and array field values. For example:

# ...
field = "message"
field = "parent.child"
field = "array[0]"
# ...

You can learn more about Vector's field notation in the field notation reference.


Grok is approximately 50% slower than the regex_parser transform. We plan to add a performance test for this in the future. While this is still plenty fast for most use cases we recommend using the regex_parser transform if you are experiencing performance issues.

Value Coercion

Values can be coerced upon extraction via the types.* options. This functions exactly like the coercer transform except that its coupled within this transform for convenience.


You can coerce values into timestamps via the timestamp type:

# ...
types.first_timestamp = "timestamp" # best effort parsing
types.second_timestamp = "timestamp|%Y-%m-%dT%H:%M:%S%z" # ISO8601
# ...

As noted above, if you do not specify a specific strftime format, Vector will make a best effort attempt to parse the timestamp against the following common formats:

Without Timezone
FT%TISO 8601 / RFC 3339 without TZ
m/%d/%Y:%TUS common date format
a, %d %b %Y %TRFC 822/2822 without TZ
a %d %b %T %Ydate command output without TZ
A %d %B %T %Ydate command output without TZ, long names
a %b %e %T %Yctime format
With Timezone
%+ISO 8601 / RFC 3339
%a %d %b %T %Z %Ydate command output
%a %d %b %T %z %Ydate command output, numeric TZ
%a %d %b %T %#z %Ydate command output, numeric TZ
UTC Formats
%sUNIX timestamp
%FT%TZISO 8601 / RFC 3339 UTC