I couldn't really figure out a good way to explain this in the topic heading.
I have been using the following grok filter, and up until a couple days ago, it was working fine.
grok {
match => {"message_id" => "%{DATA:[user_name]}:%{HOSTNAME:[domain_name]}\(%{NUMBER:[number]}\)"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "processed", 0 ]
}
This works great for things like the following:
jimmy.jones:jjones.131sku.com(187780383)
Where it breaks is the following:
I modified the above string to have a dot "." at the beginning of the domain_name (it's a subtle change, that's why I am pointing it out)
jimmy.jones:.jjones.131sku.com(187780383)
This, of course, gets a _grokparsefailure.
I have messed with the Grok Debugger, but I can't figure out any way to say that the dot is optional along with using the HOSTNAME. This doesn't blow up (adding the ?. before the HOSTNAME):
grok {
match => {"message_id" => "%{DATA:[threat_name]}:?.%{HOSTNAME:[domain_name]}\(%{NUMBER:[sig_num]}\)"}
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "processed", 0 ]
}
But, it just stores the domain_name after the dot, but doesn't store the dot. So, it stores the domain_name with either string, but I am missing the dot.
Is there a way to do this? I figure I will start messing with defining my own regex in the morning if it can't be done.
Thanks.