Match none or multiple words in parentheses in grok

I have a question about grok. I'm a total beginner and was searching but couldn't find a solution. I have log files with data that is in parentheses. Sometimes there is no data in it. the log lines look like

2017-11-24 12:42:10 - ive - [192.168.231.247] pmuster001(Always Tunnel Mode)[ABC Users - Always Tunnel] - VPN Tunneling: User with IP 192.168.241.1 connected with SSL transport mode.

some lines have no data in those parentheses like
2017-11-24 12:42:10 - ive - [127.0.0.1] System()[] - VPN Tunneling: Optimized ACL count = 1.

My current grok pattern is
%{TIMESTAMP_ISO8601} \- %{WORD:Source} \- \[%{IPV4:ClientIP}\] %{WORD:User}\(%{WORD:UserRealm}

That matches everything up to the first word in the first example

How would I achieve that it catches everything between the parentheses and also if its empty?

Well .. it looks I'm a little but further .... I came up with this grok:

%{TIMESTAMP_ISO8601} \- %{WORD:Source} \- \[%{IPV4:ClientIP}\] %{WORD:User}(?<UserRealm>(\((.)*?)\))(?<UserMode>(\[(.)*?)\]) \- %{GREEDYDATA:Message}

So I'm using regex there. I'm still getting the data with the parentheses but I assume grok will also work with regex capture groups and I'll try to read up on this.

Is that a correct way of doing this or any better way?

To match any character except closing parenthesis use [^)] (or if you possibly need [^\)]). Hence, to match "(foo bar)" and grab the (possible empty) string between the parentheses you can use \((?<fieldname>[^)]*)\).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.