Parsing syslog param1=value1 param2="value2"

Elitlogik · November 16, 2020, 3:49pm

Trying to learn GROK by using the GROK debugger tool in Kibana.

Data is stuctured like this:

param1=value1 param2="value 2" param4=param4
param1=value1 param2="value 2" param3=param3 param4=param4

Questions are:

Will I be able to write a filter/GROK that takes care of a dynamic structure (sometimes paramX is missing)?
Do I need to define the structure? Can't I just make [foreach paramX, store the key paramX with a value of valueX]?

The only thing that's complicating parsing is that sometimes valueX contains one or more spaces, but then its surrounded by "

Thank you very much for your support!

Badger · November 16, 2020, 3:54pm

Why not use a kv filter?

Elitlogik · November 16, 2020, 3:56pm

Thank you for your reply. Please tell me a little more... Is that a plugin? Why would threre be a benefit?

Elitlogik · November 16, 2020, 9:52pm

Thank you very much for pointing me in the right direction

system · December 14, 2020, 9:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using KV and Grok to parse complex data Logstash	2	435	June 30, 2021
Logstash - How to Dynamic Parse Log's value Logstash	9	279	October 17, 2023
Parsing a syslog message before sending to elastic with empty fields Logstash	7	175	April 23, 2024
Kvpairs where one of the values is a JSON structure Logstash	9	2573	July 6, 2017
KV pairs automatically parsed by logstash? Logstash	4	99	April 10, 2024