Parsing issue in Logstash grok

varun1992 · December 15, 2020, 1:51pm

I am having a grok issue. I have a log like below

Login Success [user: jsaver] [Source: 10.110.20.58]

How can I parse the this log with grok filter ?

aaron-nimocks · December 15, 2020, 2:11pm

Here is an example to show how it works.

Sample Data - Login Success [user: jsaver] [Source: 10.110.20.58]

Pattern - %{DATA:action} %{DATA:outcome} \[user: %{USERNAME:user}\] \[Source: %{IPV4:source}\]

Result

{
  "action": "Login",
  "source": "10.110.20.58",
  "user": "jsaver",
  "outcome": "Success"
}

varun1992 · December 16, 2020, 5:13am

Thanks for the replay.

Is it possible to parse action and outcome together?

like "action": "Login Success"

aaron-nimocks · December 16, 2020, 3:31pm

Pattern
(?<action>%{WORD} %{WORD}) \[user: %{USERNAME:user}\] \[Source: %{IPV4:source}\]

Result

{
  "action": "Login Success",
  "source": "10.110.20.58",
  "user": "jsaver"
}

varun1992 · December 17, 2020, 2:27pm

thanks

system · January 14, 2021, 2:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.