Grok returns array and not string

I have a log field that sometimes has an additional field and sometimes not. Using grokdebugger, I have a working grok, but the problem is that the pipeline grok extracts the field as an array and not a string. (Using graylog 6.0.4 with the new style of rules).

Username:192.168.1.254 IKEv2 SA UP. Reason: New Connection Established

and

Username:Unknown IKEv2 Received a IKE_INIT_SA request

Grok:

(Username:%{DATA:username}\\s*)(%{DATA:ikeMsg} Reason:\\s*%{DATA:reason}$)?(%{DATA:ikeMsg}$)?

This works in both cases but I get an array back for the ikeMsg when reason is present, I’m guessing because I have them in the same grouping () but this was the only way i could find to get the reason when present and the ike message when not.

When reason is present, I get

ikeMsg=["IKEv2 SA UP.",""]

But when it is not, I get

ikeMsg=IKEv2 SA UP.

Thank in advance for any tips or tricks!

Ah,found my own solution. I had to move the $ out of the match.

(Username:%{DATA:username}\\s+)(%{DATA:ikeMsg}?)(\\s+Reason:\\s+%{DATA:reason})?$

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.