Hi,
i have a problem building my desired grok extractor. Following the docs I do:
Working:
devname=%{NOTSPACE:Hostname}
Not working:
as soon as I put a second value into the pattern like mentioned in the doc section, it cannot extract anymore and run into an error:
devname={%NOTSPACE:Hostname} vd=%{NOTSPACE:vdom}
"Attention
We were not able to run the grok extraction. Please check your parameters."
What am I missing here.
Thanks and Regards
Christian
shoothub
June 28, 2021, 2:18pm
2
Hi @ibnetze
Check this example:
devname=\"%{HOSTNAME:devname}\" devid=\"%{HOSTNAME:devid}\"
2 Likes
Hi shoothub,
thanks, your pattern works fine.
produces an error.
perhabs i need a grook pattern for dummies book.
Thanks and Cheers
Christian
shoothub
June 29, 2021, 11:11am
4
Your grok doesn’t work because GROK is simplified regular expression, which should match complete string. In you example between devname=“XX” and src=“XY” there are other texts: devid="XX" eventtime=XX tz="XX" logid="XX" etc. So your grok need to contain also this text. If you don’t care about these text use simple %{GREEDYDATA:UNWANTED} which is like .*
So your grok would be:devname="%{HOSTNAME:devname}" %{GREEDYDATA:UNWANTED} srcip="%{IPV4:sourceip}"
1 Like
thanks for lighting me up, shoothub, that did the magic trick
devname=%{NOTSPACE:vpnhost} %{GREEDYDATA:UNWANTED} vd=%{NOTSPACE:vdom} %{GREEDYDATA:UNWANTED} user=%{NOTSPACE:user} %{GREEDYDATA:UNWANTED} sentbyte=%{BASE10NUM:sent} rcvdbyte=%{BASE10NUM:rcvd}
1 Like
system
July 14, 2021, 7:28am
6
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
