Grok pattern not working with spaces

kriss332 · June 28, 2021, 3:59pm

Hi all , I am trying to get a pattern for tbelow log in GrokDebugger site.

Jun 27 00:00:12 location2-squid2 SQUID 1624732203.029 877 172.1.1.1 TCP_MISS/200 70205 GET http://10.10.1.1/v1/loading/summary? - HIER_DIRECT/10.24.1.71 application/json

What I've been able to match so far is-

%{WORD:month} %{NUMBER:date} %{TIME:time} %{HOSTNAME:system} %{WORD:type} %{NUMBER:datetime}

The last match is -

"datetime": [ [ "1624732203.029" ] ]

It seems that next block 877 number is appearing after a tab. But the pattern %{WORD:month} %{NUMBER:date} %{TIME:time} %{HOSTNAME:system} %{WORD:type} %{NUMBER:datetime}\t%{NUMBER:elapsed} fails when I try to map 877 (even using multiple spaces instead of \t it dowsn't match).
Any help would be appreciated. Thanks

Badger · June 28, 2021, 4:38pm

Have you tried \s+? That should match one or more spaces or tabs.

kriss332 · June 28, 2021, 4:54pm

That worked. Thanks alot @Badger
Is there a good site for referencing everything related to GROK patterns and their nitty gritty details !!!

Topic		Replies	Views
Provided Grok patterns do not match data in the input Logstash	5	1385	May 14, 2021
Grok pattern for space OR double space Logstash	9	11341	June 12, 2017
Grok pattern with space Logstash	2	991	August 4, 2017
Logstash grok pattern: Unexpected output Logstash	5	397	June 26, 2018
Grok filter pattern not working Logstash	9	1333	January 10, 2020

Grok pattern not working with spaces

Related topics