I am finding my way around extractors and am slowly parsing a line of my log file. So I have added the Grok patterns;
%{TIMESTAMP_ISO8601} %{ISO8601_TIMEZONE} %{HOSTNAME} and these are all validated ok and work,
However when I add Greedydata as the next pattern the validation fails. I would expect this to group up the remainder of the log entry.
Any ideas as to why this may be happening
I am closing my eyes and trying to imagine what your message looks like so I could apply the GROK to it… ugh… can’t quite make it out… too many possibilities!!!
If I did have the original message, I might put it in here to see if I could figure out the right GROK configuration…
OK I hear you 
Here is the log:
<30>1 2021-02-25T10:23:44.607 +0000 SecureLink: AUDIT: User David Smith (dsmith) accessed service: Windows Remote Desktop Protocol (ICL-LKK – Securelink Gateway - ICL-LK-VSS24 on port 3389@192.168.100.100), duration: 0h11m33s.
When I play with the message in the link I gave for the GROK debugger it works… also you may need to double escape special characters that would only have a single escape for in the Grok debugger…
Thanks so much for testing this for me. Can I ask what you mean by double and single escape - I’m not familiar with those terms.
Special characters in regex and GROK need to be escaped (List here) Double escaping if you have \ (so it would be \\) I thought there was more to that but as I am searching for examples, maybe I am mistaken. Anyway - you can play around pretty handily with GROK with that debugger (http://grokdebug.herokuapp.com/)
Thanks a mill. I’ll give it go and update my thread with how I get on.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.