i have problem with grok plugin, curly bracket not match on Grok filter plugin
sample log:
{Allowed/Denied} ....
regex:
ACTION_FIREWALL (Allowed|Denied)
Pattern:
{%{ACTION_FIREWALL:action_firewall}}
when try this regex and custome pattern get error not match, test regex on https://regex101.com/ every think is ok
how can i fix this problem ?
thanks for your HELP !
confused by the sample log.
Can you please update regex101.com and save as an example and post the data and the regex you tried as part of the regex101.com example link. Something like : https://regex101.com/r/PBNZ5u/1
hi Kelk and thanks for reply
sample log:
[1399-05-01 14:37:52] {Allowed/Denied} connection on client
patten( SEMANTIC):
[%{FDATE:fdate}\s%{FTIME:ftime}]\s{%{ACTION_FIREWALL:action_firewall}}
syntax:
FDATE [0-9]{1,4}-[0-9]{1,2}-[0-9]{1,2}
FTIME [0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}
ACTION_FIREWALL (Allowed|Denied)
in grok debugger bracket closed ,i have error no matches
Try \[%{FDATE:fdate}\s%{FTIME:ftime}\]\s{%{ACTION_FIREWALL:action_firewall}}
hello @Jenni thanks for reply im test it not working
https://grokdebug.herokuapp.com/
@Jenni please see link
https://grokdebug.herokuapp.com/
You meant that your log lines are [1399-05-01 14:37:52] {Allowed} connection on client
or [1399-05-01 14:37:52] {Denied} connection on client
, didn't you? That's working fine for me.
[1399-05-01 14:37:52] {Allowed} connection on client
leads to:
{
"fdate": [
[
"1399-05-01"
]
],
"ftime": [
[
"14:37:52"
]
],
"action_firewall": [
[
"Allowed"
]
]
}
yes i mean action allowed or denied
https://grokdebug.herokuapp.com/
when i close the curly bracket for continue pars log get error no matches
Please find sample data and equivalent Grok
[1399-05-01 14:37:52] {Allowed} connection on client
[1399-05-01 14:37:52] {Denied} connection on client
grok
\[%{TIMESTAMP_ISO8601:timestamp}\]\s*\{%{WORD:action_firewall}\}\s*%{GREEDYDATA:rest_of_msg}
@kelk please see this link
https://grokdebug.herokuapp.com/
worked for you ?
the link you sent is just a generic link. the herokuapp doesn't give unique link like regex101 unfortunately. So we can't see what you have done.
[%{FDATE:fdate}\s%{FTIME:ftime}]\s{%{ACTION_FIREWALL:action_firewall}}
this pattern not work for me
get error no matches
But you didn't even apply the changes I had suggested (I escaped the []
)
So the log line does really say {Allowed/Denied}
and not {Allowed}
or {Denied}
? That sounds strange to me, but then your custom pattern would have to say
ACTION_FIREWALL Allowed/Denied
oh sorry my bad Allowed or Denied not {Allowed/Denied}
@Jenni thanks for help its worked
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.