Grok parse failure when trying to create fileld from syslog

[krobertson71]

I have the following message where I am trying to parse out the first word and put it in a field called netid.

Code: Select all

 user : TTY=pts/0 ; PWD=/home/cxxx ; USER=root ; COMMAND=/usr/bin/crontab -l

Here is my filter. There is a space in front of the user but the grok debugger still worked. I have another filter that does the same thing , but with more fields, that you guys helped me put together.

Can you tell me why this would be producing a grokparsefailure? I have tripled checked the field name. I tested the grok filter on the grok debugger website and it works there fine. Could the syslog pattern that is processing this event be causing this to happen?

Filter:

Code: Select all

if [program] == 'sudo' {
  grok {
    match => [ 'message', '{%WORD:netid} %{GREEDYDATA:message}' ]
  }
}

Here is the other filter for my Asset mgmt application. I did not use the " overwrite => [ "message" ]" part of the filter as I do not want to overwrite what is there. The goal is to have on the dashboard a window that lets them know what users are using sudo in certain ways and give a event count per user. Thus the creation of the netid field I am trying to accomplish.

Here is the AssetCore filter that I created the above off of.

Code: Select all

if [program] == 'AssetCore' {
  grok {
    match => [ 'message', '%{DATESTAMP:timestamp} %{WORD:sub_process} *%{WORD:error_code} %{GREEDYDATA:message}' ]
    overwrite => [ "message" ]
  }
}

[krobertson71]

Nevermind. I see my issue. Been a long day and got cross eyed.

Plese fell free to flog as necessary and then close this thread.

This '{%WORD:netid} should have been this '%{WORD:netid}'.

[bwallace]

We'll refrain from flogging, but we will close this thread now