Problems with Grok Extractor int data type

Hi, want to use a grok extractor to get a numeric field from a text string. Extractor gets number fine, but when I add a ;int to the end of the extractor to make the datatype integer, it does not work. String I am extracting from looks like this:

Oct 01 2020 15:51:41 HA-FPR-2120 %FTD-6-430002: DeviceUUID: ca82d3d0-ee5c-11e9-8323-db16c9abb0b8, AccessControlRuleAction: Allow, SrcIP: 172.16.200.222, DstIP: 52.202.200.114, SrcPort: 50435, DstPort: 443, Protocol: tcp, IngressInterface: HA-Inside, EgressInterface: HA-Outside, IngressZone: HA-Inside-Zone, EgressZone: HA-Outside-Zone, ACPolicy: HA-FPWR2120_Access, AccessControlRuleName: Hotspot_Shield, Prefilter Policy: HA-FPWR-Prefilter-Policy, User: randalls, Client: SSL client, ApplicationProtocol: HTTPS, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 704, ResponderBytes: 66, NAPPolicy: Balanced Security and Connectivity, URL: https://pi979-ndbt2.ads.tremorhub.com

My extractor is pulling the value for initiatorByes and looks like this:
(?<=InitiatorBytes: )[\d+]*(?=,)
The Test Result for that grok are:
{
“FP_Init_BytesN”: “704”
}

However if I change the grok to (?<=InitiatorBytes: )[\d+]*(?=,);int i get {} for the test result. Seems like it is unable to create the data type as integer. What am I doing wrong?

I’m not overly familiar with your syntax, but it looks like the Oniguruma Syntax for custom patterns.

so I’m guessing a bit here, but I’m thinking you can’t do that.

If you want to store the extracted text as an int, you can easily do that with the include basic GROK patterns.

InitiatorBytes:%{BASE10NUM:initiator_bytes:int},

also, make sure you want an int and not a long.

InitiatorBytes:%{BASE10NUM:initiator_bytes:long},

Thanks, modifying my grok pattern did the trick.

cool… glad to hear it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.