Grok - Parse logs with lines of different lengths

Asked Mar 21 '19 at 19:23

Active Mar 28 '19 at 17:07

Viewed 68 times

I have a log with the following format

<timestamp1> <user1>-<jobclass1> <n> <user2>-<jobclass2> <n> <user3>-<jobclass3> <n> ...
<timestamp2> <user1>-<jobclass1> <n> <user2>-<jobclass2> <n> ...    
<timestamp1> <user1>-<jobclass1> <n> <user2>-<jobclass2> <n> <user3>-<jobclass3> <n> <user4>-<jobclass4> <n>...

And need a return like this for each user

{ "username": [ "XXXX" ], "jobclass": [ "YYYY" ], "quantity": [ "ZZZZ" ] }

I try using this

%{SYSLOGBASE} %{WORD:user}-%{WORD:jobclass} %{NUMBER:quantity}

The problem is that each single line could have 4, 5, 10, 100 users. So i need to implement some kind of recursivity

Some ideas?

Thanks,

edited Mar 28 '19 at 17:07

baudsp

4,076
1
17
35

asked Mar 21 '19 at 19:23

Christian Nicolaide

1

Hi mate, I'm asking the same thing in elastic forums here https://discuss.elastic.co/t/filter-and-count-indeterminate-number-of-not-known-keywords/175705 I got a short answer from Badger there, for which he tells me to use "dissect", "kv" and a "ruby" filter. I think it could help you sort this out. – carrotcakeslayer Apr 07 '19 at 15:42

Grok - Parse logs with lines of different lengths

0 Answers0