Either white space or a %{WORD:_____}

Jim_Thunder · April 4, 2023, 10:33pm

I have two different kinds of messages that are very similar:

"Rec": " 10:33:38 +HCXPCTA-E CW83 ISMDAYS ASRA"}
"Rec": " 10:31:56 +HCXPCTA-E IS60 RX1 ISMDAYS ASRA"}

In the REC field one message has RX1 while the other is just 6 white spaces. (This text box doesn't allow for white space it seems, but the message w/o the rx1 has 6 white spaces. So both messages have the same number of characters).

How do I code something like "if white space ignore, else if not white space do: %{WORD:NAME}" ?

Here's what I have now that works only when there's white space, it fails if the RX1 exists:

grok { match => {"Rec" => " (?<Time_Stamp>[0-9][0-9]:[0-9][0-9]:[0-9][0-9]) +%{WORD:Message_Code}\-\E %{WORD:Tran_ID} %{WORD:Program} %{WORD:Abend_Code}"}}

Badger · April 5, 2023, 1:12am

Try %{WORD:Tran_ID}\s+(%{WORD:Program})? and anchor the end of the pattern to end-of-line using $.

Jim_Thunder · April 5, 2023, 1:32pm

What does \s+ do? Ignore any amount of white space?

But it looks like that worked.

How would I ignore 2 or 3 white space characters? Later on in the message I'm getting issues because sometimes there's a 7 char program name and sometimes there's an 8 char program name. So there's white space that's either 2 or 3 characters.

Badger · April 5, 2023, 2:35pm

\s+ is one or more whitespace characters. The ()? around the Program means it occurs zero or more times.

system · May 3, 2023, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.