I'm using this website to debug my Grok code: https://grokdebug.herokuapp.com/
Two different logs I'm trying to ingest:
1:
<134>1 1651225979.448642514 EMEA_ISP ip_flow_end src=192.168.15.6 dst=8.8.4.4 protocol=udp sport=43026 dport=53 translated_src_ip=193.117.158.139 translated_port=4302
2:
<134>1 1651226889.364970820 EMEA_ISP ip_flow_start src=192.168.15.115 dst=8.8.8.8 protocol=icmp translated_src_ip=193.117.158.13
Grok Filter that gets me 99% of the way there:
ip_flow_end src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{NUMBER:src_port} dport=%{NUMBER:dst_port}
This gives me the following fields, however it would be REALLY nice to have the "ip_flow_endorstart" message broken up to give me the end/start as a field I can then search on.
I tried this, but it doesn't seem to like it or work?
ip_flow_%{WORD:action} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{NUMBER:src_port} dport=%{NUMBER:dst_port}
Any help is much appreciated.
