Grok Pattern not working

Pranav_M · December 29, 2021, 11:11pm

Hey Community,

Received packet: Type = N5abcde8AbcAbcde9AbcdAbcde15AbcdefghAbcdefA, xx = 95, xxx = 441, xxxXxo = 2, xXxxXxx = 1, xxxx = 9 accepted.

The above line is a message from my log and I want to seperate each data into a field to visualize it in Kibana, I tried to use Grok and Dissect, however I am unable to achieve it. I would be extremely thankful if someone from you could guide me to put them together in a pattern

The following is the grok pattern that I have defined, however it isn't working
grok {
match => { "Log_Message" => "%{GREEDYDATA:Packet_Type}%{NUMBER:ts:int}%{NUMBER:cts:int}%{NUMBER:SeqNo:int}%{NUMBER:cSeqNo:int}%{NUMBER:trtd:int}" } }

Badger · December 30, 2021, 12:21am

That does not match your example message. If the set of fields is constant you could use something like

Type = %{NOTSPACE:type}, xx = %{NUMBER:ts:int}, xxx = %{NUMBER:cts:int}, xxxXxo = %{NUMBER:SeqNo:int}, xXxxXxx = {NUMBER:cSeqNo:int}, xxxx = %{NUMBER:trtd:int} accepted

If the set of fields varies it might be better to use an array of patterns, one for each field

grok {
    break_on_match => false
    match => { "log_message" => [
        "Type = %{NOTSPACE:type}",
        "xx = %{NUMBER:ts:int}",
        "xxx = %{NUMBER:cts:int}",
        "xxxXxo = %{NUMBER:SeqNo:int}",
        "xXxxXxx = {NUMBER:cSeqNo:int}",
        "xxxx = %{NUMBER:trtd:int}"
    ]
}

Pranav_M · December 30, 2021, 9:34am

@Badger Thank you for the quick response, its working, thanks a lot

Pranav_M · January 10, 2022, 11:48am

Hi @Badger

I would like to filter out this patter as well from my message, how do I add a filter for it, i tried the following but then neither of them works, I request you to help me out with catching the following message

Abcde Abcde : XX

where Abcde is a string and XX is an integer

I tried the following grok patterns, but doesn't seem to work

match => { "message" => ["ABCDE ABCDE= %{NUMBER:ABCDE ABCDE:int}" ] }

and

match => { "message" => ["ABCDE_ABCDE= %{NUMBER:ABCDE ABCDE:int}" ] }

and

match => { "message" => ["ABCDE ABCDE= %{NUMBER:ABCDE_ABCDE:int}" ] }

and

match => { "message" => ["ABCDE_ABCDE= %{NUMBER:ABCDE_ABCDE:int}" ] }

Can you please help me out in retrieving the message using grok

Badger · January 10, 2022, 3:01pm

Your sample data is separated using : but your patterns use =. That is not going to work.

Pranav_M · January 11, 2022, 4:50am

@Badger , Thanks for your quick response, I understood the working of the filter now and was able to script according to the parameters.

I am now trying to retrieve values out of the log message.

Aaaaaaa AaaaaaaaaaaaAaaaaaa : Aaaaaa: X|X.

the values of X ranges from 0 to 8 and this was the script that I wrote for it
match => { "message" => ["Aaaaaaa AaaaaaaaaaaaAaaaaaa : Aaaaaa: %{NUMBER:AAA:float}|%{NUMBER:BBB:float}" ] }

there is no error thrown, however Logstash is now capturing all messages containing an integer, is there any way where I can make it work?

I want to take the first value and plot in field AAA and second value and plot in field BBB

Topic		Replies	Views
I'm just confused in using grok Logstash	10	536	June 21, 2018
Q. grok filter pattern Logstash	8	940	October 14, 2018
Variable fields in Logstash's Grok-Pattern Logstash	11	3000	May 21, 2019
Grok filter extracting fields from message Logstash	9	2721	July 21, 2020
Need Help Groking Logstash	3	336	March 31, 2020

Grok Pattern not working

Related topics