Make optional character part of a defined regex (HOSTNAME)?


(Edward Arcuri) #1

I couldn't really figure out a good way to explain this in the topic heading.

I have been using the following grok filter, and up until a couple days ago, it was working fine.

 grok {
      match => {"message_id" => "%{DATA:[user_name]}:%{HOSTNAME:[domain_name]}\(%{NUMBER:[number]}\)"}
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "processed", 0 ]
}

This works great for things like the following:
jimmy.jones:jjones.131sku.com(187780383)

Where it breaks is the following:
I modified the above string to have a dot "." at the beginning of the domain_name (it's a subtle change, that's why I am pointing it out)

jimmy.jones:.jjones.131sku.com(187780383)

This, of course, gets a _grokparsefailure.

I have messed with the Grok Debugger, but I can't figure out any way to say that the dot is optional along with using the HOSTNAME. This doesn't blow up (adding the ?. before the HOSTNAME):

grok {
      match => {"message_id" => "%{DATA:[threat_name]}:?.%{HOSTNAME:[domain_name]}\(%{NUMBER:[sig_num]}\)"}
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "processed", 0 ]
}

But, it just stores the domain_name after the dot, but doesn't store the dot. So, it stores the domain_name with either string, but I am missing the dot.
Is there a way to do this? I figure I will start messing with defining my own regex in the morning if it can't be done.

Thanks.


(Guy Boertje) #2

I think you should escape the dot \.?. In regex a dot is special and means any character.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.