Two words break my grok

adfrad · January 26, 2020, 2:54pm

Hi I have the following log line and I’m trying to write a basic grok extractor

User: jsmith, Client: SSL client, ApplicationProtocol: HTTPS

When using :

User: %{WORD:User}, Client: %{WORD:Client}%{GREEDYDATA:remainder}

User comes over properly, but Client only shows “SSL” and not the second word (client) which is then shown in the remainder field. How can I populate Client with every word up to the next comma?

Thanks!

adfrad · January 26, 2020, 5:19pm

I fixed it! Here’s how to do it for those in the same predicament…

Client: (?<Client: >[^,]*)

system · February 9, 2020, 5:29pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Extractor - Remove data from field Graylog Central (peer support)	3	1065	August 13, 2020
Grok Pattern Extractor Error Graylog Central (peer support)	5	1248	July 14, 2021
Issues with attempting to pull Fields from Message Graylog Central (peer support)	3	552	May 25, 2018
Grok extractor pattern help Graylog Central (peer support) grok-patternspl	5	2480	April 21, 2023
Greedydata not validating Graylog Central (peer support)	7	401	March 11, 2021

Two words break my grok

Related Topics