Grok resolution regular expression

By Regexp

I use the following regular expression: 

INT (?:[+-]?(?:[0- 9]+))
VALUE ([0-9]+)
SPACE \s*
DATA .*?
USERNAME [a-zA-Z0-9._- ]+
YEAR (?>\d\d){1,2}
MONTHNUM (?:0?[1-9]|1[0-2])
MONTHDAY (? :(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
HOUR (?:2[ 0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
SECOND (?:(?:[0-5][0 -9]|60))
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
TIMESTAMP %{YEAR:year}/%{ MONTHNUM:monthnum}/%{MONTHDAY:monthday}-%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}.%{VALUE:_second}
MESSAGE %{DATA}ERR_SYSTEM% {DATA}
PARSE_ERROR %{TIMESTAMP:ts}%{SPACE}%{USERNAME:type1}%{SPACE}%{USERNAME:slave}%{SPACE}%{USERNAME:type2}%{SPACE}[% {USERNAME:fibre1}/USERNAME:fibre2]%{SPACE}%{MESSAGE:message}

Now I have to parse this line:

2013/05/13-05:19:16.776 INFO abcd1 gamereporting
[0000000000000000/00000000000000000000]
[GameReportingSlaveImpl:0x30bf7699a010].processReport(): Error
processing report for id=18014398509852207, type=frostbite_m,
error=ERR_SYSTEM

After parsing, I get the following:

type1 : INFO
slave: abcd1
type2: gamereportin

Now, Type 2 always misses the’g’. Why does this happen?

Can someone provide the correct regular expression for the above line?

Are you using Grok Debugger?

Where is your Grok mode? I didn’t see it in your post.

I will start with something similar to the following. Since you don’t have a deep understanding of how to save data, you must add it when you figure it out.

p> 

%{DATESTAMP}%{SPACE}%{LOGLEVEL}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}(?\ [\d+\/\d+\])

Use Grok Debugger-it will save you a lot of time.

I use the following regular expression : 

INT (?:[+-]?(?:[0-9]+))
VALUE ([0-9]+ )
SPACE \s*
DATA .*?
USERNAME [a-zA-Z0-9._-]+
YEAR (?>\d\d){1 ,2}
MONTHNUM (?:0?[1-9]|1[0-2])
MONTHDAY (?:(?:0[1-9])|(?:[12 ][0-9])|(?:3[01])|[1-9])
HOUR (?:2[0123]|[01]?[0-9])
 MINUTE (?:[0-5][0-9])
SECOND (?:(?:[0-5][0-9]|60))
ISO8601_TIMEZONE (?:Z| [+-]%{HOUR}(?::?%{MINUTE}))
TIMESTAMP %{YEAR:year}/%{MONTHNUM:monthnum}/%{MONTHDAY:monthday}-%{HOUR:hour }:%{MINUTE:minute}:%{SECOND:second}.%{VALUE:_second}
MESSAGE %{DATA}ERR_SYSTEM%{DATA}
PARSE_ERROR %{TIMESTAMP:ts}%{SPACE }%{USERNAME:type1}%{SPACE}%{USERNAME:slave}%{SPACE}%{USERNAME:type2}%{SPACE}[%{USERNAME:fibre1}/USERNAME:fibre2]%{SPACE}%{MESSAGE :message}

Now I have to parse this line:

2013/05/13-05:19:16.776 INFO abcd1 gamereporting
[0000000000000000/00000000000000000000]
[ GameReportingSlaveImpl:0x30bf7699a010].processReport(): Error
processing report for id=18014398509852207, type=frostbite_m,
error=ERR_SYSTEM

After parsing, I get the following:

p> 

type1: INFO
slave: abcd1
type2: gamereportin

Now, type 2 always miss the’g’. Why is this ?

Can someone provide the correct regular expression for the above line?

Are you using Grok Debugger?

Where is your Grok mode? I didn’t see it in your post.

I will start with something similar to the following. Since you don’t have a deep understanding of how to save data, you must add it when you figure it out.

p> 

%{DATESTAMP}%{SPACE}%{LOGLEVEL}%{SPACE}%{WORD}%{SPACE}%{WORD}%{SPACE}(?\ [\d+\/\d+\])

Use Grok Debugger-it will save you a lot of time.

, , ,

Leave a Comment

Your email address will not be published.