Grok parsing gives Unexpected outcome

The expected outcome is the following in each event:
interface
internet_address
physical_address
type

grok only parses the first match, i dont really get whats going on here.
here is the UNEXPECTED outcome:

here is the config file:

input {
http{
port => 9999
}
}

filter{
split {
field => "message"
}
grok {
match => {"message" => ["(?:")%{IP:interface}(?:"),(?:")%{IP:internet_address}(?:"),(?:")%{MAC:physical_address}(?:"),(?:")%{WORD:type}(?:")%{SPACE}"]}

}
}

I don't really get it. How is the physical address "outside" the event?

My bad, why doesnt the parsing continue tho? it stops after the first match

The "problem" is that you have multiple things that you want as a unique document in one message.

Either, if you're sure that in one message (that you want as a document) there is no space, then split it in multiple event (a ruby code might do the trick). If you have the possibilty, place a proper delimiter between messages (that you're sure that won't appear inside) and split on it.

Or, search if it's possible to do something like:

"message" => "((?:\")%{IP:interface}(?:\"),(?:\")%{IP:internet_address}(?:\"),(?:\")%{MAC:physical_address}(?:\"),(?:\")%{WORD:type}(?:\")(%{SPACE})?)*"

But! you need to search for a way to append to field and not override them.

But I think what you want is the 1st solution

thanks for the suggestion,
i've tried appending a delimiter and spliting with mutate like so
mutate {
split => {"message" => "|"}
}
and that is the result, i am not sure whats happening here:

That's the second case i've cited, the different event gets stored in one document with field containings array.

how do i separate the events?
should i do a costum ruby code? (im a newbie so sorry for all of this questions :/)

I would say yes.

You can use:

new_event = event.clone

To clone the current event and then on this event, remove fields, add fields, etc. and to push it:

new_event_block.call(new_event)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.