I have a basic authentication log formatted as follows:
2018-03-19 15:11:46,181 https-jsse-nio-443-exec-246 JiraServiceAccount 911x8252778x1 - 192.168.0.1 /rest/api/2/search The user ‘ServiceAccount’ has PASSED authentication.
2018-03-19 15:11:46,744 https-jsse-nio-443-exec-251 JiraServiceAccount 911x8252779x1 - 192.168.0.1 /rest/api/2/search The user ‘ServiceAccount’ has PASSED authentication.
I’m finding it easy enough to pull out the date but I just can’t figure out how to pull/ignore the https-jsse-nio-443 after it?
I need to extract the username between quotes from “The user ‘ServiceAccount’ has PASSED authentication.” To do this i’ve set a grok pattern up called JIRASECUSER which is the following regex
(?<=The user ').*?(?=') DeleteEdit
Again this works in isolation as does the %{JIRASECUSER} on it’s own in the extractor.
As soon as I try to use the following the filter refuses to run:
As I do not know how other possible messages can look I did not extract the username from the field message - that should be done in a second Pattern on the field - this way you get always the basics and you are able to work with the real message separately.