Grok Printer Log issue

Elastic Stack Logstash
1

Hi,
I want to grok the Printer Log and provide 10 records sample are below.

ABC00720,ABC00720_NB,TCPRINT501,5,1491672,A4,Microsoft Outlook - 備忘錄樣式,2018/08/01,22:42:42
ABC03951,ABC03951_NB,RDPRINT501,6,545477,Letter (8.5 x 11"),DesignWare Cores Ethernet MAC Universal Databook, Version 3.73a,2018/07/31,21:40:24
ABC00137,ABC00137,TCPRINT502,1,988253,Letter (8.5 x 11"),費用-201807(含將群, 北美, 三達).xls,2018/07/24,16:24:56
ABC02563,ABC02563,TCPRINT501,5,1768223,Letter (8.5 x 11"),CNN Architectures: LeNet, AlexNet, VGG, GoogLeNet, ResNet and more ….,2018/07/23,10:36:48
ABC02805,ABC02805,RDPRINT202,1,424465,Japanese Envelope Chou #3,婚禮確認單_20190605 0900 小明 CRY.pdf,2018/07/20,15:13:49
ABC00858,ABC00858,SZPRINT201,1,365519,Letter (8.5 x 11"),20180627 NB51026, NA51046, NA51051 MP Mask List.xlsx,2018/07/19,08:55:24
ABC00137,ABC00137,TCPRINT501,1,733614,Letter (8.5 x 11"),CNN-201807獎金報表(Round公式,修黎明18%,不扣健保費)_扣除MD-胡小明.xls,2018/07/18,09:05:43
ABC00137,ABC00137,TCPRINT501,1,3054019,Letter (8.5 x 11"),20180703_2018Q3(07-01~09-30)到期之維護費(附收據)(122件,NTD685,500)_含收據.pdf,2018/07/12,10:41:36
ABC00134,ABC00134,TCPRINT401,17,23198140,16K 195x270 mm,Ch8-2018.pdf,2018/07/23,15:15:24
XA00256,XA00256,TCPRINT501,17,3250397,A4,Fast, Accurate, and, Lightweight Super-Resolution with Cascading Residual Network.pdf,2018/07/16,14:14:23

The Record column in order by User, Computer, Printer, Page, Size, Page Type, File Name, Date, Time. Total have 9 columns. I try to grok these log, but just only row 1 is correct. other record (row 2~10) get error data.

My grok format is
grok {
match => {
"message" => "%{GREEDYDATA:User},%{GREEDYDATA:Computer},%{GREEDYDATA:Printer},%{GREEDYDATA:Page},%{GREEDYDATA:Size},%{GREEDYDATA:PageType},%{GREEDYDATA:FileName},%{GREEDYDATA:PrintDate},%{GREEDYDATA:PrintTime}\s"
}
}

How to get correct grok parse?

Thanks

2

Hello!

I would try csv filter instead of grok. Did you try it for this use case?

Regards

3

Hi Alesnav,

Thank for your Reply, I had try to use CSV filter, but i don't know how to set the separator parameter with default value ",". but file name value have "," sign.

4

The default separator for csv filter is "," as shown in https://www.elastic.co/guide/en/logstash/current/plugins-filters-csv.html#plugins-filters-csv-separator so you don't have to configure it if you don't want to.

5

Hi alesnav,
Thank for your reply.
I know that the default separator is "," But the file name include "," , So it will get _csvparsefailure in tag and can't parse it.

For example in Row 2, the file name is "DesignWare Cores Ethernet MAC Universal Databook, Version 3.73a"

CSV Filter
csv {
columns => ["User","Computer","Printer","Pages","Size","PageType","FileName","PrintDate","PrintTimet"]
}

Parse Result:
{
_index: "sec-prt-csv",
_type: "doc",
_id: "rlPM-WQBe4qwmz3_mvWi",
_score: 1,
_source: {
@timestamp: "2018-08-02T08:40:31.706Z",
@version: "1",
path: "/u1/LogCollect/lab.csv",
host: "OAELKT-L1",
message: "ABC03951,ABC03951_NB,RDPRINT501,6,545477,Letter (8.5 x 11"),DesignWare Cores Ethernet MAC Universal Databook, Version 3.73a,2018/07/31,21:40:24 ",
tags: [
"SEC-PRT-CSV",
"_csvparsefailure"
]
}
}

6

I has fixed the file name with "," sign issue, Change the source log format for file name.

grok {
match => {
"message" => "%{GREEDYDATA:User},%{GREEDYDATA:Computer},%{GREEDYDATA:Printer},%{GREEDYDATA:Page},%{GREEDYDATA:Size},%{GREEDYDATA:PageType},\|%{GREEDYDATA:FileName}\|,%{GREEDYDATA:PrintDate},%{GREEDYDATA:PrintTime}\s"
}
}

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.