Detect a message containing characters and digits

WarriorHarb · June 11, 2019, 3:30pm

Hello,
i'd like to detect a part from a message matching a specific sentence .
When the searched part doesn't contain numbers it works fine with this grok filter :

match => ["Message" , "(^|\W+)(?<keyword>parsing failed for header from)(\W+|$)"]

it detects the partial message "parsing failed for header from" correctly.
what shall i add to make it detect a message like this :

" warning: get digits failed, (450) "

(the (^|\W+) doesn't seem to do the task )
Thanks in advance .

Badger · June 11, 2019, 3:53pm

What pattern are you matching against that?

WarriorHarb · June 11, 2019, 4:11pm

hi @Badger do you mean this ?

		match =>{
		"message" =>"%{SYSLOGTIMESTAMP:Date}%{SPACE}%{NOTSPACE:Logsource}%{SPACE}%{WORD:Servertype}:%{SPACE}\[%{WORD:PID}]%{SPACE}%{GREEDYDATA:Message}"
		}

Badger · June 11, 2019, 4:22pm

What is the complete message that is failing to match?

WarriorHarb · June 11, 2019, 4:59pm

@Badger
here it is

Jan 21 14:04:40.424 OPCM35AVCS207 VCS: [0x00000fd8] warning: get digits failed, (450) - wrong number of arguments or invalid property assignment testing now

Badger · June 11, 2019, 5:09pm

OK, so that sets

   "Message" => "warning: get digits failed, (450) - wrong number of arguments or invalid property assignment testing now",

What are you matching that to that does not work the way you want?

WarriorHarb · June 13, 2019, 9:40am

@Badger
I am looking for that part :

match => ["Message" , "(^|\W+)(?warning: get digits failed, (450) - wrong number of arguments or invalid property assignment)(\W+|$)"]

but it doesn't detect the "warning: get digits failed, (450) - wrong number of arguments or invalid property assignment"
i guess it's due to the "(450)" part.

Badger · June 13, 2019, 4:04pm

That is not a valid regexp. You may need to use markdown to prevent the browser consuming some of the characters in the regexp. Make sure it appears correctly in the preview pane on the right when editing your message.

WarriorHarb · June 13, 2019, 4:11pm

Hi @Badger, i'm sorry i didn't quite get what u mean exactly

Badger · June 13, 2019, 4:17pm

You say you are using

match => ["Message" , "(^|\W+)(?warning: get digits failed, (450) - wrong number of arguments or invalid property assignment)(\W+|$)"]

but that produces the error

#<RegexpError: undefined group option: /(^|\W+)(?warning: get digits failed, (450) - wrong number of arguments or invalid property assignment)(\W+|$)/m>

which suggests to me that you are not actually using the pattern you say you are, possibly because the browser has consumed #, *, or < characters as markdown.

system · July 11, 2019, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.