grok_parser transform

Accepts `log` events and allows you to parse a log field value with Grok.

The grok_parser transform accepts log events and allows you to parse a log field value with Grok.

Config File

vector.toml (simple)
vector.toml (advanced)
type = "grok_parser" # must be: "grok_parser"
inputs = ["my-source-id"]
pattern = "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}"
# For a complete list of options see the "advanced" tab above.

How It Works

Available Patterns

Vector uses the Rust grok library. All patterns listed here are supported. It is recommended to use maintained patterns when possible since they can be improved over time by the community.


We recommend the Grok debugger for Grok testing.

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.


Grok is approximately 50% slower than the regex_parser transform. We plan to add a performance test for this in the future. While this is still plenty fast for most use cases we recommend using the regex_parser transform if you are experiencing performance issues.


By default, extracted (parsed) fields all contain string values. You can coerce these values into types via the types table as shown in the Config File example above. For example:

# ...
# OPTIONAL - Types
status = "int"
duration = "float"
success = "bool"
timestamp = "timestamp|%s"
timestamp = "timestamp|%+"
timestamp = "timestamp|%F"
timestamp = "timestamp|%a %b %e %T %Y"

The available types are:




Coerces to a true/false boolean. The 1/0 and t/f values are also coerced.


Coerce to 64 bit floats.


Coerce to a 64 bit integer.


Coerces to a string. Generally not necessary since values are extracted as strings.


Coerces to a Vector timestamp. strftime specificiers must be used to parse the string.


The best place to start with troubleshooting is to check the Vector logs. This is typically located at /var/log/vector.log, then proceed to follow the Troubleshooting Guide.

If the Troubleshooting Guide does not resolve your issue, please:

  1. If encountered a bug, please file a bug report.

  2. If encountered a missing feature, please file a feature request.

  3. If you need help, join our chat/forum community. You can post a question and search previous questions.


Finally, consider the following alternatives: