Grok pattern assistance

Question

Hi i'm in need of some serious help,

I have logs that i wish to Parse using GROK but the problem i'm having is that they are not always consistent in content or spacing here are some obfuscated examples.

 title_access_log:ipaddress1, ipaddress2, ipaddress3 - - [14/Nov/2017:08:30:00 +0000] "GET /url HTTP/1.1" 200 198454 - 153261 - 0000fD5b5OSuS2C7ZdhgwqYufJk:GH809 url
 title_access_log:ipaddress1, ipaddress2 - - [14/Nov/2017:08:30:00 +0000] "GET /url HTTP/1.1" 200 2326 - 20482 V22843489635e0e42e864037eccb8ad4857500ea 0000BDzHfUFhjJmcs9R4-CyglGS:GH806 url
 title_access_log:ipaddress1, ipaddress2 - - [14/Nov/2017:08:30:00 +0000] "POST /url HTTP/1.1" 200 30031 - 17942 - 0000PjpQluI9BZ0w4EDB9o2fow-:GH809 url

I have managed to make a GROK patterns that pull out up to time and date for logs that contain 2 IPs but i get suck going further or when trying to do logs with 3 ips.

Has anyone got any advice on how to tackle this.

i'm using Graylog is what i'm using to extract data to so i do have the option of using other formats than GROK.

See https://regex101.com/r/lJlBSm/1 – Wiktor Stribiżew Dec 11 '17 at 12:57 — Wiktor Stribiżew, Dec 11 '17 at 12:57
Can you put the patterns you were trying? – Óscar Andreu Sep 12 '18 at 13:18 — Óscar Andreu, Sep 12 '18 at 13:18

Grok pattern assistance

0 Answers0