Grok space expression optional

rotem_lom · October 16, 2018, 10:48am

Hi there,
In my environments I have the following log files:

Domain name: WORKGROUP
Console user name:Administrator
Console user groups: [Administrators,]
Logged in users: [Administrator,]
OS version: Windows 10
OS Platform: x64
Current System Time:2018-08-06T04:14:32-07:00

And I use this grok match to parse this line(line by line):

   grok {
    match => { "message" => "%{GREEDYDATA:key_info}:%{GREEDYDATA:value_info}" }
        }

All the line parse well except for the last line,
the problem in this line is the 'space' - as you can see all the line have space between ':' to the value, and in the last line the ':' connected to value.
How can I making a part in the grok expression optional?
Thanks

Jenni · October 18, 2018, 12:40pm

An optional space would be \s?
But you have another problem: Your value contains ':', so the first GREEDYDATA includes way too much:

{
  "key_info": [
    [
      "Current System Time:2018-08-06T04:14:32-07"
    ]
  ],
  "value_info": [
    [
      "00"
    ]
  ]
}

Try

(?<key_info>[^:]*):\s?%{GREEDYDATA:value_info}
(The key may contain any character but a colon.)

or

(?<key_info>.*?):\s?%{GREEDYDATA:value_info}
(The key may contain any character, but as little as possible.)

rotem_lom · October 21, 2018, 12:34pm

The first one work great !
Thanks!

system · November 18, 2018, 12:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok - Parsing a String with Spaces Logstash	6	10000	September 2, 2019
Why _grokparsefailure? Logstash	6	106	February 23, 2024
Regular expression problem Logstash	12	2463	July 6, 2017
Grok Filter Pattern with Comma Logstash	8	14302	July 6, 2017
Make optional character part of a defined regex (HOSTNAME)? Logstash	2	983	February 8, 2018

Grok space expression optional

Related Topics