Any grok pattern for email address?

comfone · Post by **comfone** » Fri Jun 17, 2016 10:23 am

Hi All
I would like to search for the email address and add it to a new field like "Username:[email protected]"

<13>Jun 17 15:16:51 csvww177 2016-06-17 15:16:50,993 ERROR PulseControllerTfa [4bsa023ralu3r7m7rnkfbkierhq62bnnta0jleai0ka0l641hhj1] [[email protected]] Logon denied: Username and password do not match or you do not have an account yet.

But I cant find any grok pattern for it.

How can I do it?

Thank you in advance for your help.

hsmith · Post by **hsmith** » Fri Jun 17, 2016 10:27 am

Have you ever created a grok filter?

comfone · Post by **comfone** » Fri Jun 17, 2016 6:38 pm

Yes... here an example..
if [type] == 'pulse_log' {
grok {
break_on_match => false
match => ['message','(?<PortalUser>USR_PORTAL_[\d]+)']
tag_on_failure => [ ]
match => ['message','(?<OracleError>ORA-[\d]+)']
tag_on_failure => [ ]
}
}

I just want to know if there is pattern for email address or do I need to create a custom patter with regex, wich is quite complicated for a simple email address.
That would be something like: (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]

?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

hsmith · Post by **hsmith** » Sat Jun 18, 2016 12:14 pm

You could use GREEDYDATA. Or maybe check this out: https://gist.github.com/jbrownsc/4694374

Nagios Support Forum

Any grok pattern for email address?

Any grok pattern for email address?

Re: Any grok pattern for email address?

Re: Any grok pattern for email address?

Re: Any grok pattern for email address?