Grok pattern works at debugger but filter

Hello,

The following strings successfully parsed at grok debugger:

<174>ddsh: {epoch=1553696401;id='AUDIT-DDSH-00001';desc='DDSH CLI command';level=3;user='root';role='se';app='ddsh';host='ddem';detail='cmd=cifs show detailed-stats';}
<174>-ddsh: {epoch=1553698006;id='AUDIT-DDSH-00001';desc='DDSH CLI command';level=3;user='sysadmin';role='admin';app='ddsh';host='ddem';detail='cmd=exit';}

with pattern like this:

-
<%{NONNEGINT:syslog_pri}>(-|)%{WORD:[syslog][program]}: {epoch=%{NUMBER:[syslog][epoch_timestamp]};id='%{DATA:[syslog][program_id]}';desc='%{DATA:[syslog][program][desc]}';level=%{NUMBER:[syslog][program][level]};user='%{WORD:[syslog][program][user]}';role='%{WORD:[syslog][program][role]}';app='%{WORD:[syslog][program][app]}';host='%{WORD:[syslog][program][host]}';detail='%{DATA:[syslog][program][detail]}';}
-

but when I put this pattern to the filter section I've got the "_grokparsefailure".
I noticed that failure starts at "id=" part of the string, so I've changed patterns [1][2][3] to [1][2_3]:

-
<%{NONNEGINT:syslog_pri}>(-|)%{WORD:[syslog][program]}: {epoch=%{NUMBER:[syslog][epoch_timestamp]};id='%{DATA:[syslog][program_id]}';desc='%{DATA:[syslog][program_desc]}';level=%{NUMBER:[syslog][program_level]};user='%{WORD:[syslog][program_user]}';role='%{WORD:[syslog][program_role]}';app='%{WORD:[syslog][program_app]}';host='%{WORD:[syslog][program_host]}';detail='%{DATA:[syslog][program_detail]}';}
-

and it works now.

Could you explain what is the problem with using [1][2][3] pattern?

brg,
Serhiy.

[syslog][program] is a string, and then you try to make it an object that has subfields. It cannot be both.

Thanx,

I'll try to add 3rd field in the first occasion.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.