Parsing log with "@" as token

xtingray · November 12, 2015, 11:15pm

I'm having a hard time parsing a log with this configuration:

username/user_id@domain

Example:

jhon/999@test.com

I am using this grok expression:

match => "%{DATA:username}/%{DATA:user_id}\@%{DATA:domain}"

But the "domain" variable is always lost. Any suggestion to get the three values in a clean way?

xtingray · November 13, 2015, 12:35am

Finally I could solve it using this grok expression:

match => "%{DATA:username}/%{USER:user_id}@%{HOSTNAME:domain}"

magnusbaeck · November 13, 2015, 6:30am

Yeah, be very careful with more than one DATA or GREEDYDATA in the same expressions. Use stricter patterns whenever you can.

Topic		Replies	Views
Not able to parse fields with logstash Logstash	4	1618	July 6, 2017
Grok Regex - Captured and Non-Captured Groups Logstash	3	3780	July 6, 2017
Distinguishing username from domain\username using grok Logstash	2	623	February 17, 2022
Grok pattern to extract username on %{GREEDYDATA:log} Logstash	3	538	April 5, 2018
Pattern for the following Logstash	1	209	July 9, 2019