Grok can't do what dissect does

aruntracer · November 10, 2018, 12:28pm

test.log

Sat Nov 30 21:36:25 IST 2013;404112130710695;8377828305;ROHIT  KUMAR;0,PM - Prepaid Mercury,5401;11166;Del_Delhi_South Delhi_SD_IBC_T3_Terminal_Intern_166_5401

this log is easily parsed using dissect filter by giving the delimiter as semicolon, but when it come to Grok approach I feel it is not possible to get the value "0,PM - Prepaid Mercury,5401" which is the plan name of this customer because in grok I don't find an option to get the word which has spaces in between and numbers in between..

My Grok try,

%{DAY:day} %{MONTH:month} %{POSINT:date} %{TIME:time} %{WORD:time_zone} %{NUMBER:year};%{NUMBER:sim_number};%{NUMBER:tn};%{WORD:first_name}%{SPACE}%{WORD:last_name};%{?????:plan_name}

In above example Grok pattern I have given ????? in the place where I'm unable to extract the plan name from the log

Makra · November 10, 2018, 1:17pm

@aruntracer

Use GREEDYDATA along with appropriate delimiter to fetch the plan like below.

%{DAY:day} %{MONTH:month} %{POSINT:date} %{TIME:time} %{WORD:time_zone} %{NUMBER:year}\;%{NUMBER:sim_number}\;%{NUMBER:tn}\;%{WORD:first_name}%{SPACE}%{WORD:last_name}\;%{GREEDYDATA:plan_name}\;%{INT:num}\;%{NOTSPACE:remaining1} %{NOTSPACE:remaining2}

The above grok will fetch the plan name follows:

 "plan_name": [
    [
      "0,PM - Prepaid Mercury,5401"
    ]

system · December 8, 2018, 1:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.