Filter for When Log changes Slightly

rmoss25 · March 24, 2021, 1:07am

HI,
How do you create a grok pattern that can handle the log changing every now and then so I have a filter written that works but every so often the last field of an almost identical log is empty and the existing filter cant handle it.
e.g Logs

"MAR-21 00:43:38|158.98.214.94|2|CN=Test.Test,OU=alpha Users,OU=alpha,OU=Test Units,DC=alphadev,DC=dev,DC=abc,DC=ca|foJ16BD1/B42LI5Cfke/D4oDcUA=|ABCDEF"

"12-MAR-21 07:50:06|10.82.96.130|10|CN=ez91288,OU=BEV Users,OU=BEV,OU=Business Units,DC=alpha,DC=corp,DC=abc,DC=ca|+uOdgwg5RbNyjjd8JYBtk2K6yH8=|"

so the 2nd log doesn't have the field "|ABCDEF" so it breaks parsing.

%{GREEDYDATA:timestamp}\|%{IPV4:src_ip}\|%{WORD:event_id}\|%{GREEDYDATA:DN}\|%{NOTSPACE:session}\|%{NOTSPACE:application} |

Badger · March 24, 2021, 2:40am

If a grok field is optional then you can surround it with ()? (i.e. zero or more of the capture group) to tell grok that.

system · April 21, 2021, 2:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Assistance with grok filter Logstash	4	1403	July 6, 2017
Logstash Grok problem Logstash	1	345	January 2, 2020
Logstash: Optional fields in grok Logstash	3	341	January 4, 2023
Pattern matching issues in Logstash Logstash	2	264	October 13, 2021
How to handle grok optional pattern (?:) Logstash	7	1160	June 1, 2022

Filter for When Log changes Slightly

Related topics