These were triply for sure checked and verified as working on Grok Debugger.
Pattern:
%{WORD:logsrc}.div.company.com %{NUMBER:num},%{DATA:receive_time},%{NUMBER:serial},%{WORD:type},%{WORD:subtype},%{NUMBER:unknown_num},%{DATA:time_generated},%{DATA:src},%{DATA:dst},%{DATA:natsrc},%{DATA:natdst},%{DATA:rule},%{DATA:srcuser},%{DATA:dstuser},%{DATA:app},%{DATA:vsys},%{DATA:from},%{DATA:to},%{DATA:inbound_if},%{DATA:outboundif},%{DATA:logset},%{DATA:unknown_time},%{NUMBER:sessionid},%{NUMBER:repeatcnt},%{NUMBER:sport},%{NUMBER:dport},%{NUMBER:natsport},%{NUMBER:natdport},%{DATA:flags},%{DATA:proto},%{DATA:action},%{NUMBER:bytes},%{NUMBER:bytes_sent},%{NUMBER:bytes_received},%{NUMBER:packets},%{DATA:start},%{NUMBER:elapsed},%{DATA:category},%{DATA:unknown_field1},%{DATA:seqno},%{DATA:actionflags},%{DATA:srcloc},%{DATA:dstloc},%{DATA:unknown_field2},%{DATA:pkts_sent},%{DATA:pkts_received},%{DATA:session_end_reason},%{DATA:dg_hier_level_1},%{DATA:dg_hier_level_2},%{DATA:dg_hier_level_3},%{DATA:dg_hier_level_4},%{DATA:vsys_name},%{DATA:device_name},%{DATA:action_source},%{DATA:src_uuid},%{DATA:dst_uuid},%{DATA:tunnelid},%{DATA:monitortag},%{DATA:parent_session_id},%{DATA:parent_start_time},%{DATA:tunnel},%{NUMBER:assoc_id},%{NUMBER:chunks},%{NUMBER:chunks_sent},%{NUMBER:chunks_received},%{DATA:rule_uuid},%{DATA:http2_connection},%{DATA:link_change_count},%{DATA:policy_id},%{DATA:link_switches},%{DATA:sdwan_cluster},%{DATA:sdwan_device_type},%{DATA:sdwan_cluster_type},%{DATA:sdwan_site},%{DATA:dynusergroup_name},%{DATA:xff_ip},%{DATA:src_category},%{DATA:src_profile},%{DATA:src_model},%{DATA:src_vendor},%{DATA:src_osfamily},%{DATA:src_osversion},%{DATA:src_host},%{DATA:src_mac},%{DATA:dst_category},%{DATA:dst_profile},%{DATA:dst_model},%{DATA:dst_vendor},%{DATA:dst_osfamily},%{DATA:dst_osversion},%{DATA:dst_host},%{DATA:dst_mac},%{DATA:container_id},%{DATA:pod_namespace},%{DATA:pod_name},%{DATA:src_edl},%{DATA:dst_edl},%{DATA:hostid},%{DATA:serialnumber},%{DATA:src_dag},%{DATA:dst_dag},%{DATA:session_owner},%{DATA:high_res_timestamp},%{DATA:nssai_sst},%{DATA:nssai_sd},%{DATA:subcategory_of_app},%{DATA:category_of_app},%{DATA:technology_of_app},%{DATA:risk_of_app},“%{DATA:characteristic_of_app}”,%{DATA:container_of_app},%{DATA:tunneled_app},%{DATA:is_saas_of_app},%{DATA:sanctioned_state_of_app},%{DATA:offloaded},%{DATA:traffic_type},
Sample:
panorama.div.company.com 1,2024/12/02 15:18:02,024680993766,TRAFFIC,end,2897,2024/12/02 15:18:02,10.88.151.8,10.99.101.17,0.0.0.0,0.0.0.0,inernal-in_37,msrpc-base,vdiv1,PROD.Internal,PROD.DIVNET,ethernet1/2,ethernet1/1,default,2024/12/02 15:18:02,655765,1,61636,49681,0,0,0x401a,tcp,allow,4896,3798,1098,16,2024/12/02 15:17:19,29,any,7432514093394733498,0x8000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,9,7,tcp-rst-from-client,20,11,0,0,PA2.FL13,from-policy,0,0,N/A,0,0,0,0,1c563515-f2e7-227d-dc61-76f72a114777,0,0,2024-12-02T15:18:02.940-05:00,infrastructure,networking,network-protocol,2,“has-known-vulnerability,tunnel-other-application,pervasive-use”,msrpc,untunneled,no,no,0,NonProxyTraffic,
The problem appears to be in how the community forum software formats the text being pasted into it:
We noticed that if we test the text in Grok Debugger by copying from the left side entry pane, it will work successfully - but if we test by copying from the right side preview pane, it fails at natsport.