Grok Filter..so close... yet so far

joshn · April 29, 2022, 10:22am

I'm using this website to debug my Grok code: https://grokdebug.herokuapp.com/

Two different logs I'm trying to ingest:

1:

<134>1 1651225979.448642514 EMEA_ISP ip_flow_end src=192.168.15.6 dst=8.8.4.4 protocol=udp sport=43026 dport=53 translated_src_ip=193.117.158.139 translated_port=4302

2:

<134>1 1651226889.364970820 EMEA_ISP ip_flow_start src=192.168.15.115 dst=8.8.8.8 protocol=icmp translated_src_ip=193.117.158.13

Grok Filter that gets me 99% of the way there:

ip_flow_end src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{NUMBER:src_port} dport=%{NUMBER:dst_port}

This gives me the following fields, however it would be REALLY nice to have the "ip_flow_endorstart" message broken up to give me the end/start as a field I can then search on.

I tried this, but it doesn't seem to like it or work?

ip_flow_%{WORD:action} src=%{IP:src_ip} dst=%{IP:dst_ip} protocol=%{WORD:protocol} sport=%{NUMBER:src_port} dport=%{NUMBER:dst_port}

Any help is much appreciated.

aaron-nimocks · April 29, 2022, 11:55am

Try ip_flow_%{GREEDYDATA:action}.

joshn · April 29, 2022, 2:13pm

eurgh - you guys and girls are just the best! thanks

system · May 27, 2022, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.