Problem with blank field in grok pattern

Hello everyone,

I have a problem with a grok pattern when I have to extract a value that sometimes could be “blank” or “R”.

• Example message: (with value R)
  11/03/2021 14:02:59 1350 PACKET 000001A13A5BF570 UDP Rcv 208.67.222.222 5e4c R Q [8081 DR NOERROR] A (9)googleads(1)g(11)doubleclick(3)net(0)

• Example message: (blank field)
  11/03/2021 14:15:11 134C PACKET 000001A137513D50 UDP Rcv 192.168.1.6 8bd2 Q [0001 D NOERROR] A (3)ssl(7)gstatic(3)com(0)

My grok pattern: (it is incomplete because I have this problem)

%{DATE_EU:DNS_Data} %{TIME:DNS_Hora} %{WINDNS_THREADID:DNS_ThreadID} %{NOTSPACE:DNS_Context}%{SPACE}%{WINDNS_BASE16NUM:DNS_InternalID} %{WINDNS_PROTOCOL:DNS_Protocol} %{WINDNS_SNDRCV:DNS_Direction} %{IP:DNS_RemoteIP}%{SPACE}%{WINDNS_XID:DNS_XID}(%{ WINDNS_QUERYRESP :DNS_QueryResp})?%{SPACE}%{NOTCOMMA:Rest}

WINDNS_QUERYRESP pattern? I tested a lot examples like:

• (?)
• (\s+R\s+ \s+)
• (\s+R\s+ \s+)

But I have no idea how to proceed. The actual result is:

You can see that is not putting the “R” in the field named “DNS_QueryResp”. Anyone can help me? Thank you in advance!

Hi @amendoza

Never worked with grok pattern before, so I’m not pretty sure if it have full support to regular expressions, but I cut a little piece of your examples and changed your regex a little bit to make it work:

[a-z0-9]{1,}([R ]{1,})?Q

This regex will work in both scenarios:
5e4c R Q
8bd2 Q

I just don’t know how to fit my example in your grok pattern

Really hope it helps.

Thanks for your answer, but it does not work.

My first field could be “blank” or “R”, and the next field could be “Q”,“N”,“U” or “?”.

So I need something like: ?{1} on my first field

So I have to consider the space field that could be empty or R.

Something like this?
(\s*|R)

Hi, based on you comment, I changed the regex to be like:

[a-z0-9]{1,}([R ]{1,})?[QNU?]

Give it a try and see if it helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.