Grok filter some entries have additional fields

tartaarsap · June 24, 2022, 9:19am

I have the following dataset:

1613766382 FILE %computerName%  MACB [4096] c:/$MFTMirr
1613766382 FILE %computerName%  MACB [4096] c:/$MFTMirr ($FILE_NAME)

I am trying to build a GROK filter to match on both lines. However, I can only seem to get them both individually working.

My current filter (trying to work with optional a field):

grok
	{
	    match => {"message" => "%{INT:Date} %{GREEDYDATA:File} %{GREEDYDATA:ComputerName}  %{GREEDYDATA:MACB} %{GREEDYDATA:Size} %{GREEDYDATA:Path} (%{GREEDYDATA:Filename})?"}
	}

This filter works on all lines with the $(FILE_NAME) behind it, but will give a parsing error on the first line in my dataset.

What is the best way to get this to work?

sudhagar_ramesh · June 24, 2022, 11:15am

Hello @tartaarsap

You can try this below grok pattern which is working fine for the both of log lines.

%{INT:Date} %{DATA:File} %{DATA:ComputerName} %{DATA:MACB} \[%{DATA:Size}\] %{GREEDYDATA:Filename}

PFA for the result

Keep Posted !!! Thanks !!!

tartaarsap · June 24, 2022, 1:55pm

Thanks a lot this is perfect :)!

system · July 22, 2022, 1:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.