Parsing syslog param1=value1 param2="value2"

Elitlogik · November 16, 2020, 3:49pm

Trying to learn GROK by using the GROK debugger tool in Kibana.

Data is stuctured like this:

param1=value1 param2="value 2" param4=param4
param1=value1 param2="value 2" param3=param3 param4=param4

Questions are:

Will I be able to write a filter/GROK that takes care of a dynamic structure (sometimes paramX is missing)?
Do I need to define the structure? Can't I just make [foreach paramX, store the key paramX with a value of valueX]?

The only thing that's complicating parsing is that sometimes valueX contains one or more spaces, but then its surrounded by "

Thank you very much for your support!

Badger · November 16, 2020, 3:54pm

Why not use a kv filter?

Elitlogik · November 16, 2020, 3:56pm

Thank you for your reply. Please tell me a little more... Is that a plugin? Why would threre be a benefit?

Elitlogik · November 16, 2020, 9:52pm

Thank you very much for pointing me in the right direction

system · December 14, 2020, 9:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse Logs in Logstash Logstash	5	452	February 18, 2020
Using KV and Grok to parse complex data Logstash	2	440	June 30, 2021
Logstash - How to Dynamic Parse Log's value Logstash	9	279	October 17, 2023
Parsing a syslog message before sending to elastic with empty fields Logstash	7	179	April 23, 2024
Grok filter on dynamic source field name Logstash	1	389	November 20, 2018