Hi there,
Im having some issues filtering this section of a log file,
2021-01-19T13:32:25.263Z localhost {reason=user_approved, txid=cbcf50e8-e05e-4ee8-9c6d-125d78b6ff9e, ood_software=null, isotimestamp=2021-01-19T13:29:11.720467+00:00, result=success, access_device={hostname=null, is_password_set=unknown, flash_version=null, os=null, os_version=null, browser=null, ip=0.0.0.0, java_version=null, location={country=uk, city=london, state=null}, browser_version=null, is_firewall_enabled=unknown, is_encryption_enabled=unknown}, event_type=authentication, application={name=prod1, key=28374638900}
i think the issues lay with the { characters as when i run this as a grok pattern
%{TIMESTAMP_ISO8601:date}%{SPACE}%{WORD:host} \{%{GREEDYDATA:data1}
Everything upto the { is
"date": "2021-01-19T13:32:25.263Z",
"host": "localhost",
"data1": "reason=user_approved, txid=cbcf50e8-e05e-4ee8-9c6d-125d78b6ff9e, ood_software=null, isotimestamp=2021-01-19T13:29:11.720467+00:00, result=success, access_device={hostname=null, is_password_set=unknown, flash_version=null, os=null, os_version=null, browser=null, ip=0.0.0.0, java_version=null, location={country=uk, city=london, state=null}, browser_version=null, is_firewall_enabled=unknown, is_encryption_enabled=unknown}, event_type=authentication, application={name=prod1, key=28374638900}"
but i cant figure out how to parse the text from "reason" onwards.. plus there's other { characters in there i suspect are going to break something later on.
is there someway i can parse the data inside the GREEDYDATA pattern? or can i ignore the { characters?? or skip them somehow?
many thanks for your advice