Grok space expression optional

rotem_lom · October 16, 2018, 10:48am

Hi there,
In my environments I have the following log files:

Domain name: WORKGROUP
Console user name:Administrator
Console user groups: [Administrators,]
Logged in users: [Administrator,]
OS version: Windows 10
OS Platform: x64
Current System Time:2018-08-06T04:14:32-07:00

And I use this grok match to parse this line(line by line):

   grok {
    match => { "message" => "%{GREEDYDATA:key_info}:%{GREEDYDATA:value_info}" }
        }

All the line parse well except for the last line,
the problem in this line is the 'space' - as you can see all the line have space between ':' to the value, and in the last line the ':' connected to value.
How can I making a part in the grok expression optional?
Thanks

Jenni · October 18, 2018, 12:40pm

An optional space would be \s?
But you have another problem: Your value contains ':', so the first GREEDYDATA includes way too much:

{
  "key_info": [
    [
      "Current System Time:2018-08-06T04:14:32-07"
    ]
  ],
  "value_info": [
    [
      "00"
    ]
  ]
}

Try

(?<key_info>[^:]*):\s?%{GREEDYDATA:value_info}
(The key may contain any character but a colon.)

or

(?<key_info>.*?):\s?%{GREEDYDATA:value_info}
(The key may contain any character, but as little as possible.)

rotem_lom · October 21, 2018, 12:34pm

The first one work great !
Thanks!

Topic		Replies	Views
Parse optional field with or without leading spaces Logstash	1	363	March 22, 2017
Correct Grok Pattern for an optional field including spaces Logstash	6	5278	August 1, 2019
Is posible to have iptional field with regex as grok optionals fields? Logstash	6	486	January 6, 2022
Grok filter - issues with spaces and special charecters Logstash	11	9148	June 12, 2017
Optional fields Logstash	3	1176	January 15, 2019

Grok space expression optional

Related topics