GROK Extractor Timestamp Question

Graylog Central (peer support)
1

I am trying to extract the timestamp from a message, but the %{TIMESTAMP_ISO8601} pattern returns a lot of data I do not need. I only need the timestamp field, how do I remove the unnecessary data.

Also, is it possible to skip this field altogether?

Please see the screenshots.

2020-07-28_18-54-10
2020-07-28_18-54-101871×109 36.6 KB

2020-07-28_18-50-13
2020-07-28_18-50-131128×791 33.8 KB

2

Yes, there is a option Named captures only in extractor, or pipeline function grok(), parameter only_named_captures, so it will extract only named, in your case only timestamp.

https://docs.graylog.org/en/3.3/pages/pipelines/functions.html#grok

1 Like
3

Thank you, that worked. Is there a way to completely skip fields?

4

Yes of course, use UNWANTED as a name in grok pattern, for example:
%{BASE10NUM:UNWANTED}

Check docs:
https://docs.graylog.org/en/3.3/pages/extractors.html#using-grok-patterns-to-extract-data

1 Like
5

@shoothub

When I try this I get an error that Graylog cannot parse:

2020-07-29_8-03-18
2020-07-29_8-03-18712×427 21 KB

2020-07-29_8-03-36

6
  1. GROK as a result generate regular expression, so it’s only simplified form of regex. So you need to include grok patterns for part of text.
  2. If you want to skip some text you can use %{GREEDYDATA:UNWANTED}. For example to extract fw field use:
    %{TIMESTAMP_ISO8601:timestamp}%{GREEDYDATA:UNWANTED}fw=%{IP:fw_ip}
  3. If you want to extract all field, check for key-value extractor. Your message is great candidate for it.
    https://docs.graylog.org/en/3.3/pages/extractors.html#automatically-extract-all-key-value-pairs
1 Like
8

I’m trying that, as well as some other patterns like INT, NUMBER, WORD, and a few others and Graylog throws an error no matter what I try. Ideally I’d like to strip other fields out as well.

2020-07-29_13-28-45
2020-07-29_13-28-45885×789 47.1 KB

9

You have space between %{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:UNWANTED}
If you check original message, there is " after timestamp, and not only space, so you need to include " in your grok, so:

  1. Either use grok without space (which will also include " and space and another strings):
    %{TIMESTAMP_ISO8601:timestamp}%{GREEDYDATA:UNWANTED}
  2. Or use grok with " after timestamp:
    %{TIMESTAMP_ISO8601:timestamp}" %{GREEDYDATA:UNWANTED}
1 Like
10

@shoothub Thanks to you I’ve made some major progress. I have another issue I need to overcome though.

There is a field in the log that contains the line:

msg=“NWC23465: VPN Tunneling: Session ended for user with IPv4 address 192.168.110.10”

I would like to break this into two fields:

evID = NWC23465 (without colon)
msg = VPN Tunneling: Session ended for user with IPv4 address 192.168.110.10

2020-07-30_7-21-20
2020-07-30_7-21-201858×108 13.9 KB

2020-07-30_7-17-03
2020-07-30_7-17-031104×856 50.7 KB

11

Why not use something like:
msg="%{WORD:evID}: %{GREEDYDATA:msg}"

1 Like
12

I would like to buy you a drink sometime. THANK YOU!

13

Check this fine online grok debugger, it parses grok patterns online, so can help with grok generation.
http://grokdebug.herokuapp.com/

14

I have been. It does not like the {EMAILADDRESS} for some reason. I had to use {GREEDYDATA} to pull the Username on that site.

15

Maybe graylog have more grok patterns, than this page, but you can still add your own, using Add custom patterns

1 Like
16

I will need to use a pipeline to change the order of the fields in the message? It appears to default to alphabetical order.

17

If you mean how graylog displays extracted fields, yes it’s in alphabetical order, so you can’t change it.

21

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.