4

This is my grok pattern

2017-09-25 08:58:17,861 p=14774 u=ec2-user | 14774 1506329897.86160: checking for any_errors_fatal

I'm trying to read the user but it's giving only ec2 , it's not giving the full word

Sorry i'm newer to the grok filter

My current pattern :

%{TIMESTAMP_ISO8601:timestamp} p=%{WORD:process_id} u=%{WORD:user_id}

Current output :

...
...
...
  "process_id": [
    [
      "14774"
    ]
  ],
  "user_id": [
    [
      "ec2"
    ]
  ]
}
baudsp
  • 4,076
  • 1
  • 17
  • 35
Vicky
  • 819
  • 2
  • 13
  • 30
  • it's working .. %{TIMESTAMP_ISO8601:timestamp} p=%{WORD:process_id} u=%{USERNAME:user_id} – Vicky Sep 25 '17 at 09:39
  • If you use USERNAME, someone maintaining your code may think that the log contains a, um, username. Make your own pattern as described by Vorsprung – Alain Collins Oct 08 '17 at 02:19

2 Answers2

9

WORD is defined as "\b\w+\b"

See https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns

  • \b is a word boundary

  • \w matches a single alphanumeric character (an alphabetic character, or a decimal digit) or "_"

  • + means any number of the previous character. So \w+ means any number of characters

Note that \w does NOT match -

So to make it work instead of WORD use 

(?<user_id>\b[\w\-]+\b)

This does not use the preddefined grok patterns but "raw" regexp

  • the (?....) is used instead of %{ as it is "raw" regexp
  • \- means a literal - sign
  • [ ] means a character class. So [\w-] will match all the things \w does and - as well
Vorsprung
  • 32,923
  • 5
  • 39
  • 63
1

InputAllow1-2 : Success

Grok Filter(?:%{GREEDYDATA:Output}?|-)

Result {"Output":[["Allow1-2 : Success"]]}

Anand Kathirvel
  • 11
  • 3
  • Welcome to Stack Overflow. While this code may answer the question, providing additional context regarding why and/or how this code answers the question improves its long-term value. [How to Answer](https://stackoverflow.com/help/how-to-answer) – Elletlar Jan 22 '19 at 10:35