Grok pattern not working with spaces

kriss332 · June 28, 2021, 3:59pm

Hi all , I am trying to get a pattern for tbelow log in GrokDebugger site.

Jun 27 00:00:12 location2-squid2 SQUID 1624732203.029 877 172.1.1.1 TCP_MISS/200 70205 GET http://10.10.1.1/v1/loading/summary? - HIER_DIRECT/10.24.1.71 application/json

What I've been able to match so far is-

%{WORD:month} %{NUMBER:date} %{TIME:time} %{HOSTNAME:system} %{WORD:type} %{NUMBER:datetime}

The last match is -

"datetime": [ [ "1624732203.029" ] ]

It seems that next block 877 number is appearing after a tab. But the pattern %{WORD:month} %{NUMBER:date} %{TIME:time} %{HOSTNAME:system} %{WORD:type} %{NUMBER:datetime}\t%{NUMBER:elapsed} fails when I try to map 877 (even using multiple spaces instead of \t it dowsn't match).
Any help would be appreciated. Thanks

Badger · June 28, 2021, 4:38pm

Have you tried \s+? That should match one or more spaces or tabs.

kriss332 · June 28, 2021, 4:54pm

That worked. Thanks alot @Badger
Is there a good site for referencing everything related to GROK patterns and their nitty gritty details !!!

system · July 26, 2021, 4:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can someone pls help me with my logstash parsers Logstash	4	385	May 17, 2020
Grok pattern with space Logstash	2	936	August 4, 2017
Help with Grok pattern with space in field? Logstash	3	4856	April 24, 2017
Logstash grok pattern: Unexpected output Logstash	5	361	June 26, 2018
Provided Grok patterns do not match data in the input Logstash	5	1152	May 14, 2021

Grok pattern not working with spaces

Related topics