Trying to parse a log file line using GROK.
Line:
14-nov-2019 3:03:37.767 queries: client @000000986596B420 10.10.35.11#49780 (31.22.11.10.in-addr.arpa): query: 31.22.11.10.in-addr.arpa IN PTR + (10.10.36.10)
This filter works:
filter {
grok {
match => { "message" => "(?<date>\b{2}-\D{3}-\d{4}) (?<time>\d{1,2}:\d{1,2}:\d{1,2}\.\d{1,3}) queries: client (?<clientid>@\S{16}) (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})#(?<ipid>\d{5}) (?<other1>.*)" }
}
}
outfile.json:
{"@version":"1","@timestamp":"2019-11-21T06:50:23.021Z","clientid":"@000000986596B420","ip":"10.10.35.11","message":"14-nov-2019 3:03:37.767 queries: client @000000986596B420 10.10.35.11#49780 (31.22.11.10.in-addr.arpa): query: 31.22.11.10.in-addr.arpa IN PTR + (10.10.36.10)\r","time":"3:03:37.767","other1":"(31.22.11.10.in-addr.arpa): query: 31.22.11.10.in-addr.arpa IN PTR + (10.10.36.10)\r","host":"VST01-PIOIBTS01","date":"-nov-2019","path":"C:/Upload/DNS_log_02.log","ipid":"49780"}
So - it doesn’t work anymore:
filter {
grok {
match => { "message" => "(?<date>\b{2}-\D{3}-\d{4}) (?<time>\d{1,2}:\d{1,2}:\d{1,2}\.\d{1,3}) queries: client (?<clientid>@\S{16}) (?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})#(?<ipid>\d{5}) (?<name1>\([a-z0-9\.-]{1,}\)) (?<other1>.*)" }
}
}
outfile.json:
{"path":"C:/Upload/DNS_log_02.log","tags":["_grokparsefailure"],"host":"VST01-PIOIBTS01","message":"14-nov-2019 3:03:37.767 queries: client @000000986596B420 10.10.35.11#49780 (31.22.11.10.in-addr.arpa): query: 31.22.11.10.in-addr.arpa IN PTR + (10.10.36.10)\r","@timestamp":"2019-11-21T06:52:22.349Z","@version":"1"}
There seems to be a problem somewhere in this regexp:
(?<name1>\([a-z0-9\.-]{1,}\))
It should parse this line, but for some reason this does not happen:
(31.22.11.10.in-addr.arpa)
And in the constructor, this regexp works!
http://www.pcre.ru/eval/\([a-z0-9\.-]{1%2C}\)%262a%3B%40%3D%23%3D%40000 % 40% 3D% 23% 3D% 40 (22.22.11.10.in-addr.arpa)% 3A /
But GROK writes an error and does not parse the line.
Tell me where I was wrong?