Grok parse failure

Paf · October 25, 2022, 8:14am

Hello,

I want to parse the field "ModifiedProperties" with this value :

{"Name":"StrongAuthenticationMethod","NewValue":"[\r\n  {\r\n    \"MethodType\": 5,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 0,\r\n    \"Default\": false\r\n  }\r\n]","OldValue":"[]"},{"Name":"StrongAuthenticationUserDetails","NewValue":"[\r\n  {\r\n    \"PhoneNumber\": \"+xx xxxxxxxxx\",\r\n    \"AlternativePhoneNumber\": null,\r\n    \"Email\": null,\r\n    \"VoiceOnlyPhoneNumber\": null\r\n  }\r\n]","OldValue":"[\r\n  {\r\n    \"PhoneNumber\": null,\r\n    \"AlternativePhoneNumber\": null,\r\n    \"Email\": null,\r\n    \"VoiceOnlyPhoneNumber\": null\r\n  }\r\n]"},{"Name":"Included Updated Properties","NewValue":"StrongAuthenticationMethod, StrongAuthenticationUserDetails","OldValue":""},{"Name":"TargetId.UserType","NewValue":"Member","OldValue":""}

I try to use this grok pattern :

        grok {
                match => { "ModifiedProperties" => "{%{DATA:champs1}},{%{DATA:champs2}},{%{DATA:champs3}},{%{DATA:champs4}}" }
        }

I use https://grokdebug.herokuapp.com/ to debug my grok and that works, but not in logstash.

Someone can help-me ?

Thanks

Rios · October 25, 2022, 4:13pm

Not sure is your value OK, I have to add missing quotes. Anyway, this sample is working on LS 8.4

If this sample below is still not working try with grok with extra backslash \{ and \}

input {

  generator {
       message => "{\"Name\":\"StrongAuthenticationMethod\",\"NewValue\":\"[\r\n  {\r\n    \"MethodType\": 5,\r\n    \"Default\": true\r\n  },\r\n  {\r\n    \"MethodType\": 0,\r\n    \"Default\": false\r\n  }\r\n]\",\"OldValue\":\"[]\"},{\"Name\":\"StrongAuthenticationUserDetails\",\"NewValue\":\"[\r\n  {\r\n    \"PhoneNumber\": \"+xx xxxxxxxxx\",\r\n    \"AlternativePhoneNumber\": null,\r\n    \"Email\": null,\r\n    \"VoiceOnlyPhoneNumber\": null\r\n  }\r\n]\",\"OldValue\":\"[\r\n  {\r\n    \"PhoneNumber\": null,\r\n    \"AlternativePhoneNumber\": null,\r\n    \"Email\": null,\r\n    \"VoiceOnlyPhoneNumber\": null\r\n  }\r\n]\"},{\"Name\":\"Included Updated Properties\",\"NewValue\":\"StrongAuthenticationMethod, StrongAuthenticationUserDetails\",\"OldValue\":\"\"},{\"Name\":\"TargetId.UserType\",\"NewValue\":\"Member\",\"OldValue\":\"\"}"
       count => 1
  }

} # input

filter {

grok {
    match => { "message" => "{%{DATA:champs1}},{%{DATA:champs2}},{%{DATA:champs3}},{%{DATA:champs4}}" }
  }
  

}

output {

    stdout {
        codec => rubydebug{}
    }
}

Paf · October 27, 2022, 7:23am

I tried this but without success.
I finally used a ruby script to parse the values
Tanks for Your help

system · November 24, 2022, 7:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.