What is the grok pattern for find userid from message?

I've two layouts one is error layout.in this layout have two additional fields like.requestUrl and requestmethod.
the second one is common layout which is for warn,debug,info log levels.
i've also added userId which is in format of GUID.
you can see in log `AuthID:soemthing guid. i want to add userId field with use of grok.
but when used grok for userId it don't taking and also not creating a field.
What should it pattern will be?

here is log

2020-10-16 11:11:06.2668 18524 ERROR FinanceAPI.Controllers.TransactionController 192.168.43.244 http://bhavin/Transactions POST Invalid LedgersFinanceAPI.Execptions.InvalidDataException: Invalid Ledgers
   at FinanceAPI.Controllers.TransactionController.Insert(Transaction tx) in D:\Git\finance.api\FinanceAPI\Controllers\TransactionController.cs:line 69    at FinanceAPI.Controllers.TransactionController.Insert(Transaction tx) in D:\Git\finance.api\FinanceAPI\Controllers\TransactionController.cs:line 69 AuthID:1dfae3d2-258d-42d4-802e-c39a751574e3

and this is the grok pattern

if [fields][log_type] == "finance" 
	{
	   grok {
			match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{INT:processId} %{LOGLEVEL:level} %{DATA:logger} %{IPV4:clientIp} %{GREEDYDATA:message}"}
			overwrite => "message"
		}

		if [message] =~ "^http:" {
			grok {
				match => { "message" => "%{URI:requestUrl} %{WORD:requestMethod} %{GREEDYDATA:message}" }
				overwrite => "message"
			}
		}
		if [message] =~ "^AuthID:" {
				grok {
				match => { "message" => "%{UUID:UserId}" }
				overwrite => "message"
			}
		}
		
	}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.