Ignoring text and carriage return characters with Grok

espogian · November 13, 2016, 7:42pm

Hello, how can I manage log lines which have multiple /n and /r characters with Grok?
My situation is like:

CSeq:696603683 ACK\r\nMax-Forwards:70\r\nContent-Length:0

And I'm interested in CSeq and Content-Length. Max-Forwards is not always present, so I want to ignore it.
I'm using this Grok pattern:

grok {
  match => {
    "message" => "%{BASE10NUM:CSeqSequenceNumber}\s%{GREEDYDATA:CSeqMethod}\s+(((.|\n)*))?Content-Length:\s%{BASE10NUM:Content-Length}"
  }

But the pipeline does not start, and the reason is the pattern (((.|\n)*))? which I have used to ignore Max-Forwards:70\r\n.

espogian · November 14, 2016, 7:59am

I think I found a viable solution by adding a gsub filter which substitutes /n and /r with "".

system · December 12, 2016, 7:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.