Two different syntax in grok

Question

A normal event could be like this:

 2015-11-20 18:50:33,739 [TRE01_0101] [76] [10.117.10.220]

but sometimes I have a log with "default" IP:

 2015-11-04 23:14:27,469 [TRE01_0101] [40] [default]

If I have defined in grok a [SYNTAX:SEMANTIC] pattern as follows:

grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:time} \[%{DATA:instance}\] \[%{NUMBER:numeric}\] \[%{IP:client}\]}"}

}

How can I parse a log that contains dafault as IP?

Now I'm getting a _grokparsefailure because "default" is not an "IP SYNTAX".

Thanks in advance

Also note that brackets are used in regular expressions to show ranges, so you'll need to escape them. — Alain Collins, Dec 07 '15 at 17:03

score 1 · Answer 1 · answered Dec 07 '15 at 17:02

1

You can group things together and then make them conditional:

(%{IP:client}|default)

answered Dec 07 '15 at 17:02

Alain Collins

Thanks! Finally I tried next: (\[%{IP:client}\]|\[%{DATA:client}\]) escaping brackets – user3228279 Dec 08 '15 at 11:20
If you want to keep everything as 'client', you might use a different pattern, like "\[(?[^\]]*)\]". This says "a bracket, capturing everything that's not a bracket, followed by another bracket". Though in hind-sight, it might not be more clear :) – Alain Collins Dec 08 '15 at 16:22

1 Answers1