Not able to use Grok pattern in Graylog but works in extractor

Hi, I am trying to create a Grok pattern for a syslog:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 1.1.1.1] [localport: 22] at 08:51:08 UTC Wed Jun 5 2024

and my grok pattern is below:
Login Success [user: %{USERNAME:User}] [Source: %{IPV4:Ipv4Address}] [localport: %{NUMBER:Port}

Now I am able to extract the data from it using input extractors but it doesn’t work in pipeline and see the below error:

Errors: Unknown function Port in line 9 pos 110 mismatched input ‘}’ expecting {‘;’, ‘[’, ‘.’, ‘+’, ‘-’, ‘‘, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} token recognition error at: ‘"Login Success [’ mismatched input ‘:’ expecting {’;', ‘[’, ‘.’, ‘+’, ‘-’, '’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Undeclared variable User in line 9 pos 45 mismatched input ‘:’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘‘, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} mismatched input ‘:’ expecting {’;', ‘[’, ‘.’, ‘+’, ‘-’, '’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function Source in line 9 pos 55 token recognition error at: ‘' Missing required parameter value of type String in call to function grok in line 8 pos 34 token recognition error at: ‘' mismatched input ‘:’ expecting {’;’, ‘[’, ‘.’, ‘+’, ‘-’, ‘‘, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Undeclared variable user in line 9 pos 28 Unknown function message in line 10 pos 29 Incompatible types (grok(pattern: user)) : GrokResult <=> ({USERNAME:User}) : Map in line 8 pos 34 mismatched input ‘:’ expecting {’;', ‘[’, ‘.’, ‘+’, ‘-’, '’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function Ipv4Address in line 9 pos 70 Unknown function localport in line 9 pos 87 token recognition error at: ‘' mismatched input ‘}’ expecting {’;‘, ‘[’, ‘.’, ‘+’, ‘-’, ‘‘, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function IPV4 in line 9 pos 65 mismatched input ‘]’ expecting {’;', ‘[’, ‘.’, ‘+’, ‘-’, '’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function BASE10NUM in line 9 pos 100 Expected type String for argument pattern but found Object in call to function grok in line 8 pos 34 mismatched input ‘’ expecting {’;', ‘[’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} token recognition error at: ‘")\n);\nset_fields(\n fields: gl2_fragment_grok_results\n);\nend’ token recognition error at: ''

Environment details:

Graylog: 6.0.2
MonghDB: 7.0.17
Opensearch: 214
OS: Ubuntu 22

Hi,
please also post your rule from the pipeline to find the error.

Hi @ihe Thank you for your response, I am using rule builder to make the query, here it is -

Screenshot 2024-06-05 at 5.32.33 PM2682×2070 391 KB

Never mind, I have got the solution here:

Basically I had to use double escapes on all special characters.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.