Grok pattern for repeating strings seperated by comma

lukojy · March 1, 2021, 11:52am

Hello,

I am trying to extract data from spamd filters which are separated by comma, example:

spamd: result: . 0 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,HTML_FONT_LOW_CONTRAST scantime=0.5

string1=DKIMWL_WL_HIGH, string2=DKIM_SIGNED and so on…

sometimes it could have up to different 15 strings and I am not sure how to write grok correct way Now I am using “hardcoded” version to extract it (%{WORD:spamd_filter}|%{WORD:spamd_filter},%{WORD:spamd_filter}|%{WORD:spamd_filter},%{WORD:spamd_filter},%{WORD:spamd_filter} and so on........

I would like to get such results:

spamd_filter [“DKIMWL_WL_HIGH”,“DKIM_SIGNED”,“DKIM_VALID”,“HTML_FONT_LOW_CONTRAST”]

using simpler grok, because I am sure there is better way to do it

Any help is greatly appreciated!

system · March 15, 2021, 11:52am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to ignore comma in quoted strings? Graylog Central (peer support)	3	1450	April 5, 2019
Grok parsing multi-value field from csv Graylog Central (peer support) grok-patternspl	5	587	April 4, 2024
Need some help with specific query with commas or whitespaces Graylog Central (peer support)	1	643	April 24, 2018
Grok Extractor Grok Pattern Help Graylog Central (peer support)	3	1568	March 29, 2020
Need help with extractor Graylog Central (peer support)	4	870	March 30, 2021

Grok pattern for repeating strings seperated by comma

Related topics