-2

Can you write a grok expression for the following requirement:

We have 3 types of events, as shown below:

08D7119FBFEC19B7;250 2.6.0 <DM6PR09MB3369DAB34BC8812C1CF1E16181C00@DM6PR09MB3369.namprd09.prod.outlook.com> [InternalId=669077,Hostname=Abcd] Queued mail for delivery
08D7119FBFEC19B7;250 2.6.0 <DM6PR09MB3369DAB34BC8812C1CF1E16181C00@DM6PR09MB3369.namprd09.prod.outlook.com> [InternalId=669077] Queued mail for delivery
08D7119FBFEC19B7;250 2.6.0 <DM6PR09MB3369DAB34BC8812C1CF1E16181C00@DM6PR09MB3369.namprd09.prod.outlook.com> [Hostname=Abcd] Queued mail for delivery

For the above events, write a single grok expression which satisfies the following cases:

  1. Grok should fetch InternalId and Hostname values if both are present

  2. Grok should fetch the InternalId value if only InternalId is present

  3. Grok should fetch the Hostname value if only Hostname is present

Laurenz Albe
  • 209,280
  • 17
  • 206
  • 263
sreekanth
  • 31
  • 5
  • What have you tried so far? What worked and didn't work? – mihomir Aug 08 '19 at 12:26
  • ((.*\[InternalId=%{NUMBER:InternalId}.*Hostname=%{USERNAME:Hostname}\])|(.\[InternalId=%{NUMBER:InternalId}.)|(.\[Hostname=%{USERNAME:Hostname}.)) This is the grok expression for them . I have worked on it. – sreekanth Aug 08 '19 at 14:48

1 Answers1

1

((.*[InternalId=%{NUMBER:InternalId}.*Hostname=%{USERNAME:Hostname}])|(.[InternalId=%{NUMBER:InternalId}.)|(.[Hostname=%{USERNAME:Hostname}.))

This is the grok expression which gives the exact output.

sreekanth
  • 31
  • 5