Two strings with one grok

Hello, please help to read this two strings with one grok rule
first: mgmgmg : TTY=unknown ; PWD=/usr/local/gtail/basecomps/deploy/cache ; USER=root ; ENV=HEALTHCHECK=no BACKUP=no ; COMMAND=/usr/bin/dpkg --install goserver_12.08.SP48_amd64.deb
second: root : TTY=unknown ; PWD=/usr/local/autils/auto_update ; USER=root ; COMMAND=/bin/systemctl stop goserver

The pattern i got only works with second data string, how can i do it right?


%{USERNAME:username} : TTY=%{WORD:tty} ; PWD=%{PATH:pwd} ; USER=%{USERNAME:username1} ; COMMAND=%{GREEDYDATA:command}

I make two match strings for this data, is it correct?

Hello @PJss

There is a slight change in 1st pattern, Hence we have to create accordingly, thus try the below

grok
{

match => 
{
"message" => ['%{USERNAME:username} : TTY=%{WORD:tty} ; PWD=%{PATH:pwd} ; USER=%{USERNAME:username1} ; COMMAND=%{GREEDYDATA:command}', '%{USERNAME:username} : TTY=%{WORD:tty} ; PWD=%{PATH:pwd} ; USER=%{USERNAME:username1} ; ENV=HEALTHCHECK=%{WORD:healthcheck} BACKUP=%{WORD:backup} ; COMMAND=%{GREEDYDATA:command}']
}

}

Keep Posted!!! Thanks !!!

1 Like

Personally I would not use grok, but kv instead

    dissect { mapping => { "message" => "%{}: %{[@metadata][kvData]}" } }
    kv { source => "[@metadata][kvData]" field_split_pattern => " ; " whitespace => "strict" }

which will produce

   "COMMAND" => "/usr/bin/dpkg --install goserver_12.08.SP48_amd64.deb",
      "USER" => "root",
       "PWD" => "/usr/local/gtail/basecomps/deploy/cache",
       "ENV" => "HEALTHCHECK=no BACKUP=no",
       "TTY" => "unknown",
2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.