Grok - Extracting words between two phrases that remain constant

Hi All,

I'm currently trying to extract a VM name from vSphere logs and am having some issues as the VM names can be of variable length and contain an array of characters. So far the only delimiting factor for separating the name out is that part of the message leads with "A ticket for " and immediately after the VM name is "of type". For example, in the below sample data I am trying to extract "CHICAGO - DB" as vm.name. So far I am able to get the first part trimmed out, but have not found any resources on ensuring the name ends whenever the words "of type" appear. Below is the sample data and Grok pattern. Any help would be appreciated!

Sample Data:
[A ticket for CHICAGO - DB of type webmks on 172.16.124.32 in DATACENTER has been acquired]

Grok Pattern:
[A ticket for (%{DATA:vm.name})]

Results:
"vm": {
"name": "CHICAGO - DB of type webmks on 172.16.124.32 in DATACENTER has been acquired"
}

Try A ticket for %{DATA:vm.name} of

If you want a [vm] object with a [name] field inside it then use [vm][name] instead of vm.name. vm.name will create a field with a period in its name.

2 Likes

Worked like a charm - thank you so much!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.