Problem parsing with grok

Miguel_Leite · October 29, 2018, 3:34pm

I'm trying to parse the following string using grok:

(ADDRESS=(PROTOCOL=tcp)(HOST=172.18.213.2)(PORT=52737))

I tried using the kv filter but I was having problems regarding the parenthesis...
With the following pattern I got the results:

\((?<field>[^)]*)\((?<prt>[^)]*)\)\((?<host>[^)]*)\)\((?<port>[^)]*)\)

{
  "field": [
    [
      "ADDRESS="
    ]
  ],
  "prt": [
    [
      "PROTOCOL=tcp"
    ]
  ],
  "host": [
    [
      "HOST=172.18.213.2"
    ]
  ],
  "port": [
    [
      "PORT=52737"
    ]
  ]
}

Which is not exactly how I wanted to parse it. Can anyone help me? Maybe there is a way using the kv filter, which would be the easiest way to parse that log...

rijinmp · October 30, 2018, 10:33am

Check this grok filter:

(%{DATA:field}=(%{DATA:prt})(%{DATA:host})(%{DATA:port}))

rijinmp · October 30, 2018, 10:38am

This filter wont work , some / are hided when I am pasted here

system · November 27, 2018, 10:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.