Hi,
My log is coming in the format ( its either OK for successful with a set of value or ERR for failure with a different set of values )
ok{fus=192.168.20.1, ful=44001, fui=672a000249d481f10000000c59f5efe3, fuc=0, fuq=2, fut=2017-10-29 19:42:35, fud=6791, fss=2, fst=2, fsi=12, fso=0, fsa=0, fsr=6, cuc=1}, ,
JSON ( after split on , ) :
"ratingirrelevantoutput": [
"ok{fus=192.168.20.1",
" ful=44001",
" fui=672a000249d481f10000000c59f5efe3",
" fuc=0",
" fuq=2",
" fut=2017-10-29 19:42:35",
" fud=6791",
" fss=2",
" fst=2",
" fsi=12",
" fso=0",
" fsa=0",
" fsr=6",
" cuc=1}",
" ",
" "
],
or
, err{fci=3d05cf03c13810cf0000000159f600ce, fec=26, fee=3, fei=2:20:10003:0, foc=0},
JSON ( after split on , ) :
"ratingirrelevantoutput": [
"",
" err{fci=3d05cf03c13810cf0000000159f600ce",
" fec=26",
" fee=3",
" fei=2:20:10003:0",
" foc=0}",
" "
],
I would like to identify which one is it ( ok or err ) and based on that pick up values of each parameter and move it to a separate field.
How would one achieve this with grok? I am currently using a mix of split , gsub, trim to achieve part of it and was wondering if there is a better way / optimised way of achieving the same with grok.
Thanks,