What is the correct syntax to incorporate raw regex expressions in between grok patterns?
Ex (Cisco device):
LOG: Aug 1 22:15:10 abc-hostname tcp
GROK pattern:
%{CISCOTIMESTAMP:timestamp} \b\w+-\w+\b %{WORD:protocol}
The following regex \b\w+-\w+\b has successfully parsed abc-hostname when I run it on regex test sites but I am unable to get it to work on the grok debugger. I have tried playing around with the syntax with parenthesis and curly brackets but havent had any luck
I cannot speak to any grok debuggers since I never use them, but it works just fine in logstash
input { generator { count => 1 lines => [ 'Aug 1 22:15:10 abc-hostname tcp' ] } }
filter {
grok { match => { "message" => "%{CISCOTIMESTAMP:timestamp} \b\w+-\w+\b %{WORD:protocol}" } }
}
output { stdout { codec => rubydebug { metadata => false } } }
results in
"timestamp" => "Aug 1 22:15:10",
"protocol" => "tcp",
Hey thanks, my only follow up would be in the "results in" snippet you submitted there isnt a "hostname: abc-hostname". Do you know a way to make the Grok filter read that "abc-hostname" portion and give it a field?
If I used %{WORD:hostname} it only takes "abc" and does not include the "-hostname"
I am attempting to include the "-hostname" portion as well
Use a custom pattern.
"%{CISCOTIMESTAMP:timestamp} \b(?<hostname)\w+-\w+)\b %{WORD:protocol}"This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.