Grok Filter Parse a Hyphen as absent

Ewan · November 1, 2017, 12:49pm

Hi,
I'm trying to parse a log which will insert a hyphen for some fields when there is no value:

Is there an easy way with grok to treat the hyphen as if the value is absent? i.e. not add the hyphen as a value, but continue to parse the rest of the values correctly?

2 Example lines from log:
2017-11-01 12:03:47 - - - "-" 10.0.0.100 "-" - "-" - "VS: name"
2017-11-01 12:44:01 10.0.0.1 "/file.cfc?test=thing" 192.168.1.1:80 192.168.1.1:80 "P: pool1" 10.0.0.100 "thing1=24; thing2=5;" 200 "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" 2 "VS: name"

Current filter:
%{TIMESTAMP_ISO8601:log_timestamp} %{DATA:TrueClientIP} (%{DATA:RequestPath})? %{DATA:Node} %{DATA:RequiredNode} %{QUOTEDSTRING:Pool} %{IPV4:RequestIP} %{QUOTEDSTRING:Cookie} %{DATA:StatusCode} %{QUOTEDSTRING:UserAgent} %{DATA:Hops} %{QUOTEDSTRING:VirtualServer}

I am very new to grok and appreciate my filter is probably wrong in many ways and I welcome any constructive criticism.

Thanks,
Ewan.

magnusbaeck · November 1, 2017, 3:36pm

Use (-|%{PATTERN:fieldname}) to match either a hyphen or PATTERN, and in the latter case store the result in fieldname.

You're overusing DATA. That can result in extremely poor performance or surprising matches. Use more exact patterns whenever possible.

system · November 29, 2017, 3:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.