PJss
(SERGEY)
July 14, 2022, 12:44pm
1
Hello, please help to read this two strings with one grok rule
first: mgmgmg : TTY=unknown ; PWD=/usr/local/gtail/basecomps/deploy/cache ; USER=root ; ENV=HEALTHCHECK=no BACKUP=no ; COMMAND=/usr/bin/dpkg --install goserver_12.08.SP48_amd64.deb
second: root : TTY=unknown ; PWD=/usr/local/autils/auto_update ; USER=root ; COMMAND=/bin/systemctl stop goserver
The pattern i got only works with second data string, how can i do it right?
%{USERNAME:username} : TTY=%{WORD:tty} ; PWD=%{PATH:pwd} ; USER=%{USERNAME:username1} ; COMMAND=%{GREEDYDATA:command}
PJss
(SERGEY)
July 14, 2022, 2:22pm
2
I make two match strings for this data, is it correct?
Hello @PJss
There is a slight change in 1st pattern, Hence we have to create accordingly, thus try the below
grok
{
match =>
{
"message" => ['%{USERNAME:username} : TTY=%{WORD:tty} ; PWD=%{PATH:pwd} ; USER=%{USERNAME:username1} ; COMMAND=%{GREEDYDATA:command}', '%{USERNAME:username} : TTY=%{WORD:tty} ; PWD=%{PATH:pwd} ; USER=%{USERNAME:username1} ; ENV=HEALTHCHECK=%{WORD:healthcheck} BACKUP=%{WORD:backup} ; COMMAND=%{GREEDYDATA:command}']
}
}
Keep Posted!!! Thanks !!!
1 Like
Badger
July 14, 2022, 6:09pm
4
Personally I would not use grok, but kv instead
dissect { mapping => { "message" => "%{}: %{[@metadata][kvData]}" } }
kv { source => "[@metadata][kvData]" field_split_pattern => " ; " whitespace => "strict" }
which will produce
"COMMAND" => "/usr/bin/dpkg --install goserver_12.08.SP48_amd64.deb",
"USER" => "root",
"PWD" => "/usr/local/gtail/basecomps/deploy/cache",
"ENV" => "HEALTHCHECK=no BACKUP=no",
"TTY" => "unknown",
2 Likes
system
(system)
Closed
August 11, 2022, 6:09pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.