Help with Grok pattern with space in field?

vladislav · December 13, 2021, 5:07pm

I have the following logs looks like:
query: s03.amazon.com IN A + (21.12.21.21)
query: s2.tabtest.com IN AAAA +++ (213.12.21.21)
query: t4.asaptest.com OUT TD OP- (21.124.21.21)

I need output to look like this:
hostname [s03.amazon.com, s2.tabtest.com, t4.asaptest.com]
level [A +, AAAA +++, TD OP-]
ip [21.12.21.21, 213.12.21.21, 21.124.21.21]

I have problems with "level" string, because it contains a space between data. How to write a working grok parser for that? Big thanks for any help.
I've tried something like:
query: %{NOTSPACE:hostname} IN %{NOTSPACE:level}+ %{NOTSPACE:level} %{GREEDYDATA:ip}
but it not works as I mentioned above.

Badger · December 13, 2021, 6:09pm

Is that three separate log lines, or have you already combined them into one event? grok will only match a pattern once. If the pattern is repeated it will not return multiple matches. You can use a ruby filter to do that. Here is an example.

vladislav · December 13, 2021, 8:59pm

There are three separate logs, I added them just to show how it's look like, I know that grok will only match once.
My question is - how to add something like"AAA ++" (with space(s) between data) in one field, and additional task, how to grab ip from '()'
Thanks in advance!

leandrojmp · December 13, 2021, 9:13pm

If your messages have always this format, you do not need grok, you can parse it with dissect.

The following dissect filter parses this message format:

    dissect {
        mapping => {
            "message" => "query: %{hostname} %{} %{level} (%{ip})"
        }
    }

So, considering the examples you shared, you will have as output:

{
       "message" => "query: t4.asaptest.com OUT TD OP- (21.124.21.21)",
      "@version" => "1",
      "hostname" => "t4.asaptest.com",
         "level" => "TD OP-",
    "@timestamp" => 2021-12-13T21:10:15.846Z,
          "host" => "logstash",
            "ip" => "21.124.21.21"
}
{
       "message" => "query: s03.amazon.com IN A + (21.12.21.21)",
      "@version" => "1",
      "hostname" => "s03.amazon.com",
         "level" => "A +",
    "@timestamp" => 2021-12-13T21:10:15.834Z,
          "host" => "logstash",
            "ip" => "21.12.21.21"
}
{
       "message" => "query: s2.tabtest.com IN AAAA +++ (213.12.21.21)",
      "@version" => "1",
      "hostname" => "s2.tabtest.com",
         "level" => "AAAA +++",
    "@timestamp" => 2021-12-13T21:10:15.846Z,
          "host" => "logstash",
            "ip" => "213.12.21.21"
}

Badger · December 13, 2021, 9:24pm

I agree that dissect is a better tool for this use case, but to answer the original question

grok { match => { "message" => "query: %{HOSTNAME:hostName} %{DATA:someField} \(%{IPV4:ip}\)" } }

would produce events like

 "someField" => "OUT TD OP-",
        "ip" => "21.124.21.21",
  "hostName" => "t4.asaptest.com",

vladislav · December 14, 2021, 1:03pm

Thanks @leandrojmp @Badger very much! Everything works fine, tried like @Badger posts with micro-reconfiguring:
query: %{HOSTNAME:hostName} IN %{DATA:level} (%{IPV4:ip})

system · January 11, 2022, 1:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok Parsing for multiple patterns in single log file Logstash	3	292	May 20, 2022
Pattern Assistance ## Logstash	4	812	July 6, 2017
Trailing Whitespaces in Message Field Logstash	17	482	September 5, 2022
Grok - Parsing a String with Spaces Logstash	6	10001	September 2, 2019
Need help with grok parsing Logstash	3	2517	October 12, 2017

Help with Grok pattern with space in field?

Related Topics