Grok pattern not working with spaces

kriss332 · June 28, 2021, 3:59pm

Hi all , I am trying to get a pattern for tbelow log in GrokDebugger site.

Jun 27 00:00:12 location2-squid2 SQUID 1624732203.029 877 172.1.1.1 TCP_MISS/200 70205 GET http://10.10.1.1/v1/loading/summary? - HIER_DIRECT/10.24.1.71 application/json

What I've been able to match so far is-

%{WORD:month} %{NUMBER:date} %{TIME:time} %{HOSTNAME:system} %{WORD:type} %{NUMBER:datetime}

The last match is -

"datetime": [ [ "1624732203.029" ] ]

It seems that next block 877 number is appearing after a tab. But the pattern %{WORD:month} %{NUMBER:date} %{TIME:time} %{HOSTNAME:system} %{WORD:type} %{NUMBER:datetime}\t%{NUMBER:elapsed} fails when I try to map 877 (even using multiple spaces instead of \t it dowsn't match).
Any help would be appreciated. Thanks

Badger · June 28, 2021, 4:38pm

Have you tried \s+? That should match one or more spaces or tabs.

kriss332 · June 28, 2021, 4:54pm

That worked. Thanks alot @Badger
Is there a good site for referencing everything related to GROK patterns and their nitty gritty details !!!

system · July 26, 2021, 4:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.