GROK pattern troubles

newmember · May 15, 2020, 4:29am

I cant seem to find a pattern for this custom log file:

CDR|N|05:01:2020 12:00:00:991|TEL|20010|blue02|16285|34|TEL_InitiateCall|AA_Rr_Tenant|blue02-PORT34-0501202011595810:SC:AA_Rr_Tenant:7667320521:17663223511:0501202012000099::
CDR|N|05:01:2020 12:00:01:996|TEL|20011|brown02|16285|23|TEL_DropCall|AA_Rr_Tenant|brown02-PORT23-0501202011585615:EC:02:0501202012000199::

This was my first pass and it would not parse.

%{WORD:cdr.LogID}\|%{WORD:cdr.ReportingMode}\|%{INT:cdr.MM}:%{INT:cdr.DD}:%{INT:cdr.YYYY}%{SPACE}%{INT:cdr.HH:%{INT:cdr.mm}:%{INT:cdr.ss}:%{INT:cdr.sss}\|%{WORD:cdr.ServiceType}\|%{INT:cdr.MessageID}\|%{WORD:cdr.SystemName}\|%{INT:cdr.ProcessID}\|%{INT:cdr.PortNumber}\|%{USERNAME:cdr.ModuleName}\|%{USERNAME:cdr.ApplicationName}\|%{USERNAME:cdr.Key}:%{WORD:cdr.CDR_Type}:%{WORD:cdr.AppName}:%{INT:cdr.Originator}:%{INT:cdr.Destination}:%{INT:cdr.CallStartTime}:%{GREEDYDATA}

Being a newbie I thought I would break down the problem in parts and I have a few questions and lots of problems.

a.
The date and time: I would like to combine
I thought maybe a mix of GROK and REGEX

%{WORD:cdr.LogID}\|%{WORD:cdr.LogID}\|(?<cdr.Date>((?:[:0-9]+))) (?<cdr.Time>((?:[:0-9]+)))

I thought I would have the Date and Time in the first fields under 'cdr" instead of its own field?
A space is added in front of the Month/Year/Minute/Seconds/SSec not how that happened?

{
  "cdr": [
    "CDR",
    "N"
  ],
  "cdr.Date": [
    "05: 01: 2020"
  ],
  "cdr.Time": [
    "12: 00: 00: 991"
  ]
}

b.
At the end of the record the fields are little bit different with missing fields:
This was my first pass:

\|%{USERNAME:cdr.Key}:%{WORD:cdr.CDRType}:%{WORD:cdr.AppName}:%{INT:cdr.Originator}:%{INT:cdr.Destination}:%{INT:cdr.Time}:

Is there a way to have missing fields where in this case Org. and Des. are not in the second record?

|blue02-PORT34-0501202011595810:SC:AA_Rr_Tenant:7667320521:17663223511:0501202012000099::
|brown02-PORT23-0501202011585615:EC:02:0501202012000199::

c.
I was testing this pattern on Grok Debugger
I am not sure why the "." makes a difference in the name of the field?

%{USERNAME:cdr.Key}:%{WORD:cdrCDRType}:    This one works
%{USERNAME:cdr.Key}:%{WORD:cdrCDR.Type}:   This one fails

Example of the working output without the "." in the field name:

{
  "cdr": [
    "blue02-PORT34-0501202011595810"
  ],
  "cdrCDRType": [
    "SC"
  ]
}

d.
How was my posting formatting? The posting message suggested I fix the code statements?

Christian_Dahlqvist · May 15, 2020, 6:08am

As far as I can see the ending curly brace is missing for the cdr.HH field.

Given the structure of the log entry I would also probably recommend using the dissect filter rather than grok.It is generally faster and IMHO easier to use.

system · June 12, 2020, 6:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.