Oracle listener regexp/grok pattern help

FrankC · December 2, 2016, 5:45pm

Hi,

I need to get oracle listener logs loaded using LS. I was able to extract the timestamp and replace the LS @timestamp successfully as well as some other info.
I am fairly new to regexp/grok, but came across this pattern. It appears to be working as it creates program, user, ip_client fields in ES, but I want to better understand how this works.

Mock-up of a listener event:
02-DEC-2016 01:01:01 * (CONNECT_DATA=(SID=xyz)(CID=(PROGRAM=someprogram)(HOST=somehost)(USER=someone))) * (ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=000)) * establish * somehost * 0

grok {
match => [ "lsnr_message","^.PROGRAM=(?.?)).USER=(?.?)).*ADDRESS.HOST=(?<ip_client>%{IP}).$" ]
}

One thing I noticed during testing is that sometimes I see (PROGRAM=). I get a grok parse failure. Is there a way to modify this pattern to have it as optional?

Frank

magnusbaeck · December 7, 2016, 6:40am

Please mark your grok expression as preformatted text so it isn't mangled. If you read your expression as posted above you'll notice that there are pieces missing.

system · January 4, 2017, 6:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.