custom log grok pattern

Question

I am trying to parse a custom log line using grok pattern but I'm not able to completely parse the line.

Custom log line:

site 'TRT' : alias 'TRT,FAK,FAS,ATI,ONE,DVZ,TWO' : serveur 'Test10011' RAS : TRT / TRT serveur 'Test10011' OK

Grok pattern:

%{DATA:site}\:%{DATA:alias}\:%{DATA:server}\:%{DATA:msg}

Result:

{
  "site": [
    [
      "site 'TRT' "
    ]
  ],
  "alias": [
    [
      " alias 'TRT,FAK,FAS,ATI,ONE,DVZ,TWO' "
    ]
  ],
  "server": [
    [
      " serveur 'Test10011' RAS "
    ]
  ],
  "msg": [
    [
      ""
    ]
  ]
}

I am not able to parse the last few items in the 'msg', . Could you please help ,where I'm going wrong? msg should contain "TRT / TRT serveur 'Test10011' OK"

Wiktor Stribiżew Wiktor Stribiżew · Accepted Answer · 2017-06-07T12:36:04

It seems you just need to use GREEDYDATA instead of DATA pattern:

%{DATA:site}\s*:\s*%{DATA:alias}\s*:\s*%{DATA:server}\s*:\s*%{GREEDYDATA:msg}

I also suggest adding \s* around : to get rid of leading/trailing whitespaces.

custom log grok pattern

1 Answers