Grok - Extractor Help

Graylog Central (peer support)
1

First off, Thanks for help in advance. Please go easy on me, I’m completely new to grok, but trying to lear so I can enhance the use of Graylog.

I’m finding that I cannot do a second parameter correctly, and I’m asking for some help in figuring out what I’m doing. I’ve watched a few youtubers, and read the documentation, and I cannot figure out what I am doing incorrectly.

here is my line:

[2021-05-19 10:30:25.868276] (info) - Starting P25 Recorder Num [34] TG: 543 (e[35m CMPD Provdn Dispe[0m) Freq: 858.987500 MHz TDMA: false Slot: 0 Mod: true

I’m trying to break it into the following:

Timestamp, loglevel, TG_id, TG_name, Freq, TDMA, Slot, Mod,

I cannot get past timestamp to do loglevel… both expressions work on their own, but when combined I get an parameter error.

%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:tr_log-level}

I am sure its something simple, but unfortunately I don’t have a good resource that gets into “why these fail” and graylog doesn’t get very specific when it says its not working to give me a hint.

Again, thanks in advance.

2

Brian,

It may be because the log level is surrounded by parenthesis.

Can you try:

%{TIMESTAMP_ISO8601:timestamp} \(%{LOGLEVEL:tr_log-level}\)

And see if that gives you a better result?

Thanks,
Mark

3

Sorry I should have mentioned that I had tried that – and it does not work. I did try .*%{LOGLEVEL:tr_log-level} as well.

4

So here is the matching grok pattern that I can validate on Test grok patterns
but it does not work inside of graylog? any suggestions?

\[%{TIMESTAMP_ISO8601:tr_timestamp}\]\s+\(%{LOGLEVEL:tr_log-level}\)\s+-\s+%{WORD:tr_action}.*TG:%{SPACE}%{WORD:tr_tgid}.*\(.*%{SPACE}\[.*(?<tr_tgname>%{WORD} %{WORD} %{WORD}).*\).*Freq:\s+%{FREQ:tr_freq}\s+TDMA:\s+%{WORD:tr_tdma}\s+Slot:\s+%{NUMBER:tr_slot}\s+Mod:\s+%{WORD:tr_mod}
5

So just an update:
here’s the sample lines I’m using now:

[2021-05-19 19:13:33.398421]: 	- Starting P25 Recorder Num [1]	TG: [35m      9106[0m	Freq: 851.850000 MHz 	TDMA: false	Slot: 0	Mod: true
[2021-05-19 10:30:25.868276] (info) - Starting P25 Recorder Num [34] TG: 543 (e[35m CMPD Provdn Dispe[0m) Freq: 858.987500 MHz TDMA: false Slot: 0 Mod: true

I’ve given up on the timestamp, as I can’t figure out why it wasn’t working, and just skip to the timestamp for now.

Here’s my “complete” grok statement… And it works online, but does NOT work in Graylog. Help would be appreciated.

.*-\s+%{WORD:tr_action}.*TG:\s+.*%{TR_TGNAME}.*\s+?%{WORD:TG_TGID}.*Freq:\s+%{FREQ:tr_freq}\s+TDMA:\s+%{WORD:tr_tdma}\s+Slot:\s+%{NUMBER:tr_slot}

TR_TGNAME \w{1,5}
FREQ \d+\.?\d+ MHz|KHz\Hz
6

Brian,

One thing I normally do when troubleshooting grok patterns in Graylog is to try to get started with the first match only, and then build out from there.

In other words, can you get:

To match the tr_action field? If not, you may need to make some adjustments there (but it should match, at least from what I can tell). Once that matches, add the pattern for your second term after it and see if it matches, and so on.

Thanks,
Mark

7

That’s how I worked to build the statement… But I did it in the simulator website, since it gives more feedback. Even as you have quoted, it does not work. Some reason, graylog doesn’t like the first match at all.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.