Oracle listener regexp/grok pattern help

Elastic Stack Logstash
1

Hi,

  1. I need to get oracle listener logs loaded using LS. I was able to extract the timestamp and replace the LS @timestamp successfully as well as some other info.
    I am fairly new to regexp/grok, but came across this pattern. It appears to be working as it creates program, user, ip_client fields in ES, but I want to better understand how this works.

Mock-up of a listener event:
02-DEC-2016 01:01:01 * (CONNECT_DATA=(SID=xyz)(CID=(PROGRAM=someprogram)(HOST=somehost)(USER=someone))) * (ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=000)) * establish * somehost * 0

grok {
match => [ "lsnr_message","^.PROGRAM=(?.?)).USER=(?.?)).*ADDRESS.HOST=(?<ip_client>%{IP}).$" ]
}

  1. One thing I noticed during testing is that sometimes I see (PROGRAM=). I get a grok parse failure. Is there a way to modify this pattern to have it as optional?

Frank

2

Please mark your grok expression as preformatted text so it isn't mangled. If you read your expression as posted above you'll notice that there are pieces missing.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.