Splitt Message after Hostname

Hi,

I have following line:

message: <30>Jan 24 13:59:45 10.243.x.x named[10148]: queries: client 10.243.x.x#47205 (88.255.x.x.in-addr.arpa): query: 88.255.x.x.in-addr.arpa IN PTR + (10.243.x.x)

I allready split it and have to split a second line:

syslog-message: queries: client 10.243.x.x#47205 (88.255.x.x.in-addr.arpa): query: 88.255.x.x.in-addr.arpa IN PTR + (10.243.x.x)

I'm using following grok

queries: client %{IP:dns_client_ip}#%{NUMBER:dns_client_key} (%{WORD:hostname}.%{WORD:domain1}.%{WORD:domain2}

Content in () could be:

• ip Adress : 10.10.x.x
• Hostname with special character: _nfsdomain.my.dom
• Hostname with no specialcarakter: myhost.my.dom

How could I define content betwen ( ) as one word ?

Regards

Hi @A.Klos
in grok you can use NOTSPACE try this it may work.

Thnks.

Krunal k.

Thank you,

now I have following Pattern:

queries: client %{IP:dns_client_ip}#%{NUMBER:dns_client_key} (%{NOTSPACE:Hostname})

Hostname looks: _nfsv4idmapdomain.XX.XX):

Only last thing is remove ): at the end.

I think with gsub?

mutate {
gsub => ["message",")", ""]
}

Hi,

I solved problem:

filter {
if [type] == "syslog-infoblox" {
grok {
match => [ "message", "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}"]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
grok {
match =>
[ "syslog_message","queries: client %{IP:source}#%{NUMBER:dns_client_key} (%{NOTSPACE:target_work}" ]
}
grok {
match =>
[ "target_work","%{URIHOST:target}):" ]
remove_field => [ "target_work" ]
remove_field => [ "dns_client_key" ]
remove_field => [ "dns_client_key" ]
}
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

    }

}

Field is now: target.

Regards

great

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.