Grok match regex

Soren_vdc · July 29, 2021, 9:00am

Hi,

I want to create grok match and have the 2 first words and the last part of the message.
For example:
ERROR;AuthenticationController ;processMessage ;THR=11107194 R=760a52d97983874 T=6031a0711ec3 U=Unauthenticated I=78.21.19.214 A=- C=0001 O=- V=-;Code[TXT-CD,LAA001] transformation to input contract failed

I have this filter
(?((?:.(?!;))+$))

Result:
"exceptionHeader": [
[
";Code[TXT-CD,LAA001] transformation to input contract failed"
]
Any idea how I can add "ERROR;AuthenticationController" to "exceptionHeader"?
thx

Cad · July 29, 2021, 10:28am

Hi,

I don't know if it's possible to put all the values you want directly in a unique field. So i put values in multiple field and put them together in a new field with add_field option.
After that, i remove duplicate data with remove_field.

filter {
  grok {
    match => {
      "message" => "^%{DATA:part1};%{DATA:part2};%{GREEDYDATA};%{DATA:part3}$"
    }
    add_field => { "content" => "%{part1};%{part2};%{part3}"}
    remove_field => [ "part1", "part2", "part3" ]
  }
}

Cad.

Soren_vdc · July 29, 2021, 11:11am

thanks for the info Cad, it works !

system · August 26, 2021, 11:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.