Saravana37
June 17, 2020, 5:21am
1
Hello All ,
I am facing some challenges in building the below Grok pattern.
%{WORD:Server}%{SPACE}%{WORD:Component}%{SPACE}%{NOTSPACE:ComponentStatus}%{SPACE}%{WORD:CG_ALIAS}%{SPACE}%{WORD:CompStartMode}%{SPACE}%{NUMBER:RunningTasks:int}%{SPACE}%{NUMBER:MaxTasks:int}
Sample Data is
SXXX000XXXA SCCObjMgr_enu Partially Offline CallCenter Auto 129 210
Here "Partially Offline" is the Componentstatus i want to print
But Output coming as
{
"MaxTasks": 210,
"CompStartMode": "Auto",
"RunningTasks": 129,
"Server": "SCCObjMgr_enu",
"ComponentStatus": "Offline",
"CG_ALIAS": "CallCenter",
"Component": "Partially"
}
Where as my required output is
{
"MaxTasks": 210,
"CompStartMode": "Auto",
"RunningTasks": 129,
"Server": "SXXX00000XXXA",
"ComponentStatus": "Partially Offline",
"CG_ALIAS": "CallCenter",
"Component": "SCCObjMgr_enu"
}
Kindly help.
Thanks and Regards
A_B
June 17, 2020, 2:21pm
2
Hi @Saravana37 ,
as far as I can tell the problem is the ComponentStatus part with in the sample log line is two words (Partially Offline ) and in the GROK pattern you use NOTSPACE. tbh I do not know how to deal with that. I take it there is a set of known different possibilities for the value of ComponentStatus?
Jenni
June 17, 2020, 3:27pm
3
If there is no more concrete information about the status like @A_B suggested, we could say "One or more words separated by spaces":
%{WORD:Server}%{SPACE}%{WORD:Component}%{SPACE}(?<ComponentStatus>(%{WORD}\s?)*%{WORD})%{SPACE}%{WORD:CG_ALIAS}%{SPACE}%{WORD:CompStartMode}%{SPACE}%{NUMBER:RunningTasks:int}%{SPACE}%{NUMBER:MaxTasks:int}
Saravana37
June 19, 2020, 2:49am
4
Jenni:
separated
Hello @A_B ,
The component status is with one or more Words like Running,Online,Partially Offline and "Not Online".
Thanks and Regards
Saravana37
June 19, 2020, 2:50am
5
Hello Jenni ,
Thanks for the solution. It worked .
system
July 17, 2020, 2:50am
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.