Grok Stops Reading at a Backslash?

jakecramer17 · August 6, 2019, 6:50pm

This is an extension to a previously solved topic.

I have this log here (as it appears in the console)

2019-08-05 08:55:15 - jcramer(Software Programmer) - Successfully updated profile

that I've successfully been able to parse with this Grok configuration,

grok { 
    match => { "message" => "^%{TIMESTAMP_ISO8601:syslog_timestamp} - 
    %{USERNAME:syslog_username}\((?<syslog_userinfo>[^)]*)\)\s+- 
    %{GREEDYDATA:syslog_message}" } 
}

however, I receive a _grokparsefailure when the username appears like this in the console:

2019-08-05 08:55:15 - STEM\\psmith(Hardware Engineer) - Successfully updated profile

The acronym before the username is meant to represent something like a department or location. Somehow the inclusion of the backslash causes Grok to not recognize the pattern. I would like to parse the username so that the backslash and information prior to it are included in the username.

So, the end result can look like this

"syslog_username" => "jcramer"

or this

"syslog_username" => "STEM\\psmith"

Badger · August 6, 2019, 6:58pm

Use a custom pattern with the first part optional

(?<syslog_username>([a-zA-Z0-9\._-]+\\\\)?[a-zA-Z0-9\._-]+)\((?<syslog_userinfo>[^)]*)\)

jakecramer17 · August 7, 2019, 4:01pm

Unfortunately that didn't seem to work. The pattern successfully parses in the first example without the backslashes and acronym. I've been trying to keep the log example simple, but I should provide a more accurate format to what I'm parsing:

2019-08-05 08:55:15 - ITD\\psmith(Hardware Engineer)[ECS project update, Standard user] - Successfully updated user information

In the browser, the log appears like this (with one backslash):

2019-08-05 08:55:15 - ITD\psmith(Hardware Engineer)[ECS project update, Standard user] - Successfully updated user information

So the end goal is to parse the fields like so:

"syslog_timestamp" => "2019-08-05 08:55:15"
"syslog_username" => "ITD\\psmith"
"syslog_userinfo" => "Hardware Engineer"
"structured_data" => "ECS project update, Standard user"
"syslog_message" => "Successfully updated user information"

How should I adjust the Grok pattern to include what you've suggested for this log format?

Badger · August 7, 2019, 4:19pm

I didn't realize the backslash was escaped, I thought you meant double backslash, so I had four backslashes in my grok pattern. To match a single backslash reduce that to two.

jakecramer17 · August 7, 2019, 6:28pm

Wow, that worked! I also forgot to include whitespace after the dash, before the username pattern. Fixing both did the trick.

system · September 4, 2019, 6:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.