Grok parsing gives Unexpected outcome


(Sahar Q) #1

The expected outcome is the following in each event:
interface
internet_address
physical_address
type

grok only parses the first match, i dont really get whats going on here.
here is the UNEXPECTED outcome:

here is the config file:

input {
http{
port => 9999
}
}

filter{
split {
field => "message"
}
grok {
match => {"message" => ["(?:")%{IP:interface}(?:"),(?:")%{IP:internet_address}(?:"),(?:")%{MAC:physical_address}(?:"),(?:")%{WORD:type}(?:")%{SPACE}"]}

}
}


#2

I don't really get it. How is the physical address "outside" the event?


(Sahar Q) #3

My bad, why doesnt the parsing continue tho? it stops after the first match


#4

The "problem" is that you have multiple things that you want as a unique document in one message.

Either, if you're sure that in one message (that you want as a document) there is no space, then split it in multiple event (a ruby code might do the trick). If you have the possibilty, place a proper delimiter between messages (that you're sure that won't appear inside) and split on it.

Or, search if it's possible to do something like:

"message" => "((?:\")%{IP:interface}(?:\"),(?:\")%{IP:internet_address}(?:\"),(?:\")%{MAC:physical_address}(?:\"),(?:\")%{WORD:type}(?:\")(%{SPACE})?)*"

But! you need to search for a way to append to field and not override them.

But I think what you want is the 1st solution


(Sahar Q) #5

thanks for the suggestion,
i've tried appending a delimiter and spliting with mutate like so
mutate {
split => {"message" => "|"}
}
and that is the result, i am not sure whats happening here:


#6

That's the second case i've cited, the different event gets stored in one document with field containings array.


(Sahar Q) #7

how do i separate the events?
should i do a costum ruby code? (im a newbie so sorry for all of this questions :/)


#8

I would say yes.

You can use:

new_event = event.clone

To clone the current event and then on this event, remove fields, add fields, etc. and to push it:

new_event_block.call(new_event)

(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.