Either white space or a %{WORD:_____}

I have two different kinds of messages that are very similar:

"Rec": " 10:33:38 +HCXPCTA-E CW83 ISMDAYS ASRA"}
"Rec": " 10:31:56 +HCXPCTA-E IS60 RX1 ISMDAYS ASRA"}

In the REC field one message has RX1 while the other is just 6 white spaces. (This text box doesn't allow for white space it seems, but the message w/o the rx1 has 6 white spaces. So both messages have the same number of characters).

How do I code something like "if white space ignore, else if not white space do: %{WORD:NAME}" ?

Here's what I have now that works only when there's white space, it fails if the RX1 exists:

grok { match => {"Rec" => " (?<Time_Stamp>[0-9][0-9]:[0-9][0-9]:[0-9][0-9]) +%{WORD:Message_Code}\-\E %{WORD:Tran_ID} %{WORD:Program} %{WORD:Abend_Code}"}}

Try %{WORD:Tran_ID}\s+(%{WORD:Program})? and anchor the end of the pattern to end-of-line using $.

What does \s+ do? Ignore any amount of white space?

But it looks like that worked.

How would I ignore 2 or 3 white space characters? Later on in the message I'm getting issues because sometimes there's a 7 char program name and sometimes there's an 8 char program name. So there's white space that's either 2 or 3 characters.

\s+ is one or more whitespace characters. The ()? around the Program means it occurs zero or more times.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.