Grok help splitting username:ip properly

I have log lines like the following:

2018-05-19 17:59:42 - Nagios XI [16] a1abc10:192.168.0.10 - User authenticated via Rapid Response
2018-05-20 00:00:03 - Nagios XI [32] system:localhost - User submitted a command to the subsystem (ID=1117)

My current Grok filter is:
^%{TIMESTAMP_ISO8601:timestamp} - *%{DATA:app_name} %{DATA:app_version} *%{NAGIOSTIME:nagios_epoch} *%{DATA:username_ip} - %{GREEDYDATA:message}$

The output is:
{
"timestamp": [
[
"2018-05-19 17:59:42"
]
],
"YEAR": [
[
"2018"
]
],
"MONTHNUM": [
[
"05"
]
],
"MONTHDAY": [
[
"19"
]
],
"HOUR": [
[
"17",
null
]
],
"MINUTE": [
[
"59",
null
]
],
"SECOND": [
[
"42"
]
],
"ISO8601_TIMEZONE": [
[
null
]
],
"app_name": [
[
"Nagios"
]
],
"app_version": [
[
"XI"
]
],
"nagios_epoch": [
[
"[16]"
],
[
"16"
]
],
"BASE10NUM": [
[
"16"
]
],
"username_ip": [
[
"a1abc10:192.168.0.10"
]
],
"message": [
[
"User authenticated via Rapid Response"
]
]
}

Ideally I'd like to have the username_ip split into two different fields userid and source_ip. Now as you can see the second line has "system:localhost" for the same data point ... so I need to account for that and I'm way past my Grok uberness at this point.

Alright, figured this one out, thanks for looking.
%{TIMESTAMP_ISO8601:timestamp} - *%{DATA:app_name} %{DATA:app_version} *%{NAGIOSTIME:nagios_epoch} *%{WORD:userID}:%{IP} -
*%{GREEDYDATA:message}

Did the trick

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.