I have a log field that sometimes has an additional field and sometimes not. Using grokdebugger, I have a working grok, but the problem is that the pipeline grok extracts the field as an array and not a string. (Using graylog 6.0.4 with the new style of rules).
Username:192.168.1.254 IKEv2 SA UP. Reason: New Connection Established
and
Username:Unknown IKEv2 Received a IKE_INIT_SA request
Grok:
(Username:%{DATA:username}\\s*)(%{DATA:ikeMsg} Reason:\\s*%{DATA:reason}$)?(%{DATA:ikeMsg}$)?
This works in both cases but I get an array back for the ikeMsg when reason is present, I’m guessing because I have them in the same grouping () but this was the only way i could find to get the reason when present and the ike message when not.
When reason is present, I get
ikeMsg=["IKEv2 SA UP.",""]
But when it is not, I get
ikeMsg=IKEv2 SA UP.
Thank in advance for any tips or tricks!