sev=1 proto=TCP
trying to use grok with this pattern because sometimes my log format changes, but the output is TCP and null.. how can I account for a pattern to search the whole string and extract the value?
(.+proto=?=%{USERNAME:proto})?(.+sev=?=%{USERNAME:sev})?
Hi, I recommend a few changes to your pattern:
sev is first in your string.+ to .*, there are no characters before sev
NUMBER for sev if that value is always numericFinal pattern:
(.*sev=?=%{NUMBER:sev})?(.*proto=?=%{USERNAME:proto})?
Let me know if this helps.
sorry I think i needed to be more clear.
I'm trying to write an expression that is able to parse both:
Since in my log structure, the position of the values sometimes move around in a new line.
If there are the only two values, I'd suggest a simple OR regex:
(.*proto=?=%{USERNAME:proto}.*sev=?=%{NUMBER:sev})|(.*sev=?=%{NUMBER:sev}.*proto=?=%{USERNAME:proto})
Anything beyond two values which can arbitrarily move around will involve a more complex regex pattern.
interesting, thanks for your reply.
So it seems the flow must go in sequential order, and thus there isn't a way for one to write a regex pattern that would start from the beginning search the entire string and extract a match, and then start from the beginning again and continue?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.