Variable space working in grok debugger but not in server

raamee · March 17, 2017, 12:33pm

Hi,

My new problem:

Here's my logs:

(14529) Login OK: [host] (from client DEVICE-NAME port 13 cli 20-19-44-03-26-c6 via TLS tunnel)
(14529)  Login OK: [host] (from client DEVICE-NAME port 13 cli 20-19-44-03-26-c6 via TLS tunnel)

You can see the difference between two lines. That is there is an additional space before Login OK in the second line. Due to that I'm facing difficulty in Graphs in kibana.( It shows two Login OK since there is a space)

My Grok pattern:

\(%{NOTSPACE:removed}\) +%{GREEDYDATA:AUTH}: \[%{DATA:username}\] \(from client %{NOTSPACE:radius_client} port %{INT:radius_port} (?:cli %{NOTSPACE:radius_cli})?(?: via %{DATA:radius_via})?\)

I used a + infront of %{GREEDYDATA:AUTH}: and that is working in Grok debugger online but not in my server.

Any idea?

Thank you.

The output comes as below:

"AUTH" => " Login OK",

Please notice the space before Login OK

andre22 · March 17, 2017, 9:34pm

Hi raamee,

maybe you could strip the space from your field: https://www.elastic.co/guide/en/logstash/5.2/plugins-filters-mutate.html#plugins-filters-mutate-strip

cheers

YuWatanabe · March 17, 2017, 11:42pm

@raamee

How about sandwiching the AUTH with space parsing ?

\(%{NOTSPACE:removed}\)%{SPACE}%{DATA:AUTH}:%{SPACE}\[%{DATA:username}\]

raamee · March 20, 2017, 4:30am

Thank you. That did the job.

raamee · March 20, 2017, 4:31am

Thanks for the answer but I have already tried that.

YuWatanabe · March 21, 2017, 12:50am

@raamee

Ok. I am glad that it worked out for you anyway using @andre22‘s idea.

system · April 18, 2017, 12:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.