GROK Pattern Skipping Data

s1rv1val · August 18, 2020, 2:17pm

Hi,
I have a similar problem as:
https://community.graylog.org/t/grok-extractor-timestamp-question/16573
I tried the example %{TIMESTAMP_ISO8601:logdate}%{GREEDYDATA:UNWANTED} but it is not working.
I also have another question regarding how to extract some data.

My log entry looks similar to this:

2020-07-09 23:15:35.548 - successful
	Type:			execute
	Prepared:		true
	QL:				INSERT INTO tableName (cROWID,ccontextId,ccreationTime,cupdateTime,cclientId,ctime,cEnv,csolution,cgroupId,clocalId,cElementBuffer) VALUES ('144ddbc0-c23a-11ea-a7e2-5e34ac1e1037','0c52dbf2-c23a-11ea-894f-a878ac1e1036',1594336529000,1594336535108,'0689aa10-ff07-11e9-9cb5-aa1fac1b495c',-1,'000','MONITORING','0c52dbf2-c23a-11ea-894f-a878ac1e1036','0017364273',[bytes:382])
	Result-Count:	0
	Runtime:		7 ms

So far I have the following pattern:

%{TIMESTAMP_ISO8601:logdate}%{GREEDYDATA:UNWANTED} - %{DATA:state}\n\tType:\t\t\t%{DATA:UNWANTED}\n\tPrepared:\t\t%{DATA:UNWANTED}\n\tQL:\t\t\t\t%{DATA:QL}\n\tResult-Count:\t%{DATA:UNWANTED}\n\tRuntime:\t\t%{DATA:Runtime}

Somehow the solution from the other thread is not working and I still get a list of Year, Monthnum, etc.
The next thing I have no idea how to do the following: after the QL string I want the INSERT INTO table name, cRowId, and the Runtime extracted. Everything else I am not interessted in.
How do I do this? And how do I get the runtime value to display at the end?

Thx in advance!

shoothub · August 21, 2020, 4:35pm

Try to use this:

%{TIMESTAMP_ISO8601:logdate} - %{DATA:state}\n%{SPACE}Type:%{GREEDYDATA:UNWANTED}%{SPACE}Prepared:%{GREEDYDATA:UNWANTED}\n%{SPACE}QL:%{SPACE}%{GREEDYDATA:QL}\n%{SPACE}Result-Count:%{GREEDYDATA:UNWANTED}\n%{SPACE}Runtime:%{SPACE}%{GREEDYDATA:Runtime}

And check Named captures only

s1rv1val · August 21, 2020, 6:08pm

Thx. The time stamp and the runtime are now there like I want them.
I played around with it some more but can not find a solution for extracing only parts of what follows QL:
The tableName and the UUID in the values.
Is this possible?

shoothub · August 31, 2020, 7:27am

If I undestand correctly, do you want to extract name of table from SQL insert, and one of the field from SQL insert - which one?

system · September 14, 2020, 7:27am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK Extractor Timestamp Question Graylog Central (peer support)	16	2082	August 13, 2020
Handling comma when converting extracted data to date type Graylog Central (peer support)	5	2216	May 3, 2018
Grok - Extractor Help Graylog Central (peer support)	7	447	June 7, 2021
Unwanted Grok Fields Graylog Central (peer support) grok-patternspl	6	531	November 14, 2023
Greedydata not validating Graylog Central (peer support)	7	451	March 11, 2021

GROK Pattern Skipping Data

Related topics