Substring with grokPattern

mvasqueznr · September 23, 2021, 7:51pm

Hi.

With this example data

GigabitEthernet102/0/0/28 = TLU-46356_CAR_ONE_RIVERO_AUTO_CENTER_PRINCIPAL Traffic (SNMP Traffic) Down  (The interface is disconnected: ifOperStatus=down (2) (code: PE058))

Im try to get a substring ever that found "TLU" pattern and create a new field like this "TLU-46356"

Im use a grok pattern like this

if ([logMessage] =~ /TLU-/){
           grok { match => { "logMessage" => 'TLU=(?<TLU>[0-9a-fx]{8})' }
    }

But don´t work and the result is "grokparsefailure"

Any idea, please.

aaron-nimocks · September 23, 2021, 8:48pm

Try this one.

= (?<tlu>%{WORD}-%{INT}) = { "tlu": "TLU-46356" }

or

TLU-%{INT:tlu} = { "tlu": "46356" }

system · October 21, 2021, 8:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.