Grok an IP address and username

uklipse · August 7, 2019, 8:56pm

Hi, I have the following text below that I'm trying to parse just the IP and username. I've tried adding all the text prior to the IP but still nothing. Even if I just put 1.1.1.1 into the Grok Debugger and %{IP} as the filter, I get nothing so I think there's something very basic I'm missing and could use some help.

Gateway user authentication succeeded. Login from:119.146.12.113, Source region: US, User name: admin, Auth type: profile, Client OS version: Microsoft Windows 10 Enterprise , 64-bit.

Thanks

Badger · August 7, 2019, 9:30pm

Try

    grok {
        match => {
            "message" => [
                "%{IPV4:ip}",
                "User name: %{WORD:user},"
            ]
        }
        break_on_match => false
    }

uklipse · August 8, 2019, 2:39am

Badger to the rescue again! Thanks again!

Sorry for another question but why doesn't this work in the grok debugger site (https://grokdebug.herokuapp.com)? I thought that was were to go to test your patterns.

system · September 5, 2019, 2:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.