Ignoring text and carriage return characters with Grok

espogian · November 13, 2016, 7:42pm

Hello, how can I manage log lines which have multiple /n and /r characters with Grok?
My situation is like:

CSeq:696603683 ACK\r\nMax-Forwards:70\r\nContent-Length:0

And I'm interested in CSeq and Content-Length. Max-Forwards is not always present, so I want to ignore it.
I'm using this Grok pattern:

grok {
  match => {
    "message" => "%{BASE10NUM:CSeqSequenceNumber}\s%{GREEDYDATA:CSeqMethod}\s+(((.|\n)*))?Content-Length:\s%{BASE10NUM:Content-Length}"
  }

But the pipeline does not start, and the reason is the pattern (((.|\n)*))? which I have used to ignore Max-Forwards:70\r\n.

espogian · November 14, 2016, 7:59am

I think I found a viable solution by adding a gsub filter which substitutes /n and /r with "".

system · December 12, 2016, 7:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ignore Text and carriage return characters Logstash	6	10871	June 8, 2017
How to get Grok Filter to see Newline and Carriage Returns? Logstash	2	7309	July 6, 2017
Help needed for reading Logs Logstash	10	1015	December 16, 2016
Grok pattern to account for # Logstash	2	123	October 6, 2023
Issues with grok parsing logs that vary Logstash	4	704	July 6, 2017

Ignoring text and carriage return characters with Grok

Related topics