Need help with grok parsing

Benoit_Martin · September 14, 2017, 1:34am

Hi,

I try to use grok and parse two type of log entry possibility.

The field is a hostname receive by Cisco Prime.

Possibility 1 : AP23132_01,80:e0:1d:e0:c2:10
Possibility 2 : 80:e0:1d:e0:c2:10:AP23132_01

AP23132_01 can also vary with that pattern name.

AP23174_02
TCDAYFA001
TCDMYFA005
TCDQYFA004
TEDFYFA003
TMDGYFA002
TEHBYFA001
TMDFYFA006
TTELYFA111

I build a regex with regex101 and the result is ^[A-Z|0-9]{7}.\d{2}

Now I use grok and try to extract mac address from that filed and add a field MACADDRESS and extract the APNAME with the regex.

    grok {
      match => { "thefield" => [ "%{MAC:MACADDRESS}", "(?<APNAME>^[A-Z|0-9]{7}.\d{2})" ] }
    }

Mac address part work fine but the APNAME part is not working. Can you help me to find the right solution .

Thank you!!!

Benoit_Martin · September 14, 2017, 2:52pm

I fix my problem by using 2 grok instead of one. Someone can help me to use a better way to do that please ?

    grok {
      match => { "CISCO-PRIME::Nom_Equipement" => "%{MAC:MACADDRESS}" }
    }
    grok {
      match => { "CISCO-PRIME::Nom_Equipement" => "(?<APNAME>(^|)[A-Z|0-9]{7}.\d{2})" }
    }

NerdSec · September 14, 2017, 3:27pm

You will have to use 2 groks.
That is the only way of doing it, that I am aware of.

system · October 12, 2017, 3:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.