Hi.
Im use grok patterns to extract info from Palo Alto log. But im try to extract a substring on description field like this
authenticated for user 'newUser'. auth profile 'D', server profile 'LTY', server address '', From: 179.213.123.244.
I want to extract the value next to user, between '' and the IP next to "From" but I dont have idea the correct form.
Any idea?
Thks
I would try
grok {
break_on_match => false
match => {
"[message]" => [
"%{IPV4:ipAddress}",
"user '%{USER:username}'"
]
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.