Grok Extractor Grok Pattern Help

williamk · March 12, 2020, 7:23pm

Im a newb to Grok and regular expressions, so forgive my ignorance. Have a Cisco Firepower syslog message that I want to extract the value for EgressZone. In the message I have the string
EgressZone: HA-Guest-Outside-Zone, IngressZone:

So I want to extract the value HA-Guest-Outside-Zone and assign it to the field EgressZone. I create a Grok Pattern extractor that looks like this:
EgressZone: %{WORD:EgressZone}

This extractor returns HA. Apparently the filter for WORD does not include hyphens. Most of my values for Egress zone include one to three hyphens. What would the correct filter be to include hyphens in a word. Or is their a way to create a grok pattern that will Extract all characters after EgressZone: up to the comma? Perhaps a Grok Pattern is not the correct choice for this extractor?

Ponet · March 13, 2020, 5:27pm

You could try something like:
EgressZone:\s%{GREEDYDATA:EgressZone},\sIngressZone:\s%{GREEDYDATA:IngressZone}

The GREEDYDATA grok pattern is effectively just .* (aka EVERYTHING)

williamk · March 15, 2020, 8:44pm

Thank you, GREEDYDATA put me on the right path. I also figured out that the NOTSPACE pattern in this case also gave me the data I wanted. As I understand it that pattern basically returns everything up to the first space.

system · March 29, 2020, 8:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Pattern Extractor Error Graylog Central (peer support)	5	1455	July 14, 2021
Df -h and regex Graylog Central (peer support)	5	682	September 7, 2017
Grok extractor pattern help Graylog Central (peer support) grok-patternspl	5	4003	April 21, 2023
Help with Grok Pattern extractor Graylog Central (peer support)	3	402	July 12, 2021
GROK Troubles with end of logline Graylog Central (peer support)	6	577	October 8, 2018

Grok Extractor Grok Pattern Help

Related topics