Hi, new to creating parsing rules so bear with me. I need to parse up until the first period but can't seem to make it work. Below is what I'm trying to parse.
GlobalProtect gateway user authentication succeeded. Login from: 1.2.3.4
I've tried various forms of %{GREEDYDATA}. but I it seems to only go to the last period and not the first. If I set it as %{GREEDYDATA}: it works to the only colon but just need some help when there are multiples of a character.
Thanks!
Use a custom pattern that explicitly matches anything except a period followed by a period.
grok { match => { "message" => "^(?<someField>[^\.]+)\." } }Great, that did it!
I'm trying to figure out why this works and from the documentation I think sequence [^.]+means the [ ] match a single character which the ^ negates what follows which is a period (slash because of special character). So it says give me the start of the string up to the . but leave off the period but I'm not sure how the + comes into play. Any insight?
[ ] is a character group. In this case any character except . The + means one or more of the members of the character group.
Thanks, appreciate that!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.