Grok filter for any symbol include string break

74db36a597f21b891b3f · August 8, 2018, 10:42am

Hello. I'm trying to parse event message to fields.
There is no problem with simple fields, but i'm unable to highlight biggest field that looks like this:

Details: {"Realm_Size":68,"Realm":"https://uisnotification-sb.accesscontrol.windows.net/v2/mgmt/service","action_Size":11,"action":"ACTION_NONE","TokenType_Size":59,"TokenType":"http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0","IssuerUrl_Size":78,"IssuerUrl":"https://uisnotification-sb.accesscontrol.windows.net/v2/wstrust/13/certificate","CertificateSerialNumber_Size":32,"CertificateSerialNumber":"123456789ASDGFHGFJDHGIYU"}

NOTSPACE and GREEDYDATA are not fit, because (as i think) field contains string breaks and other interesting symbols.

Is there any pattern that can highlight this peace of message?

waqark3389 · August 8, 2018, 11:00am

Greedydata is basically .* - which will match the above text. Have you tried it on grokdebug?

74db36a597f21b891b3f · August 8, 2018, 11:02am

Yes, and it's not working.
As I understand dot means any symbol except string break.

waqark3389 · August 8, 2018, 11:09am

What do you mean by not working exactly? Post your full config...

74db36a597f21b891b3f · August 8, 2018, 12:06pm

I find out that problem was in extra string breaks in input and output.

So there was no real issue.

This thread can be closed or deleted.

system · September 5, 2018, 12:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.