Pattern Assistance ##

Hans · May 6, 2015, 10:58am

I would like to ask assistance with the following pattern to
arrange them into different fields. The main challenge is the two # before each
different field and then in the fields there are spaces as well. I tried to use
the Grok Discovery tool however this also does not work. Assistance in this
matter will be appreciated, here is the log I would like to put into different fields
where delaminate is the ## of the message and before each : the description of
the field:

2015-05-06T11:35:15+01:00 10.9.8.1 GW WWW ##Event:PPP Update
Procedure ##IM:587618634854802 ##DN:86975136463696 ##Action:Update ##Access
Type:IP ##IPv4:11.12.12.21 ##IP assigned Type:Local assigned ##Account
Type:offline & online ##AAA:name ##CPU Group No:6/1 ##NSAPI:5

kaaelhaa · May 6, 2015, 1:33pm

You should try using this tool: http://grokconstructor.appspot.com/
It can basically help you through the parsing step by step.

magnusbaeck · May 7, 2015, 6:31am

I'd use the kv filter instead of grok. You'll still need a grok filter to extract the key/value pairs though.

filter {
  grok {
    match => [
      "message",
      "(?<timestamp>%{TIMESTAMP_ISO8601}\+\d\d:\d\d) %{IP} %{WORD} %{WORD} ##%{GREEDYDATA:kvdata}"
    ]
  }
  kv {
    field_split => "##"
    value_split => ":"
    source => "kvdata"
    remove_field => "kvdata"
  }
}

Hans · May 7, 2015, 6:54am

Thank you Magnusbaeck for the assistance, it is truly appreciated. the code works beautifully and without any problems.