Grok Parser

Overview

Grok parser is a filter that helps analyze and structure unstructured data. Grok parser uses patterns to parse log data.

Configure Grok parser

To create a Grok parser configuration, follow the instructions below:

In the Processor information section , enter general information for a processor according to the instructions at Processor . In this content, you will choose Processor type as Grok Parser .
In the Parsing rule section , enter the following information:

2.1 Enter Source field : field contains logs that will need to be parsed.

2.2 Enter Target field : field will be overwritten in destination log project, normally you will not need to enter this information

2.3 Enter Rule pattern : contains grok pattern to match source field and parse out according to structure.

For example:

Source log project Destination log project Message (field logs mà chúng tôi thực hiện parser) Rule pattern Kết quả parser

Source log project	Destination log project	Message (field logs mà chúng tôi thực hiện parser)	Rule pattern	Kết quả parser
webserver	webserver-parse	`87.251.81.179 - - [01/Aug/2023:12:16:39 +0200] "GET /core/themes/theme.inc/?post == HTTP/1.0" 200 63388`	%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:response_size}	{ "request": "/core/themes/theme.inc/?post==", "MONTH": "Aug", "response_code": "200", "IPV6": null, "auth": "-", "HOUR": "12", "ident": "-", "IPV4": "87.251.81.179", "BASE10NUM": [ "1.0", "200", "63388" ], "http_version": "1.0", "TIME": "12:16:39", "URIQUERY": "post==", "INT": "+0200", "response_size": "63388", "http_method": "GET", "YEAR": "2023", "URIPATH": "/core/themes/theme.inc/", "USERNAME": [ "-", "-" ], "client_ip": "87.251.81.179", "MINUTE": "16", "SECOND": "39", "MONTHDAY": "01", "timestamp": "01/Aug/2023:12:16:39 +0200" }

webserver

webserver-parse

87.251.81.179 - 
- [01/Aug/2023:12:16:39 +0200] 
"GET /core/themes/theme.inc/?post
== HTTP/1.0" 200 63388

%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:response_size}

{ "request": "/core/themes/theme.inc/?post==", "MONTH": "Aug", "response_code": "200", "IPV6": null, "auth": "-", "HOUR": "12", "ident": "-", "IPV4": "87.251.81.179", "BASE10NUM": [ "1.0", "200", "63388" ], "http_version": "1.0", "TIME": "12:16:39", "URIQUERY": "post==", "INT": "+0200", "response_size": "63388", "http_method": "GET", "YEAR": "2023", "URIPATH": "/core/themes/theme.inc/", "USERNAME": [ "-", "-" ], "client_ip": "87.251.81.179", "MINUTE": "16", "SECOND": "39", "MONTHDAY": "01", "timestamp": "01/Aug/2023:12:16:39 +0200" }

3. In the Test rules section , enter the following information:

Enter Log samples as sample log lines so you can check if the rule pattern is parsed successfully.
Click Test your rules to see if the system parses successfully

Store and reuse Parsing rules

You can store a parsing rule by checking Save this rule , then entering a memorable name for the parsing rule you want to store. The mnemonic name has a minimum length of 5 characters, a maximum length of 255 characters and can only include upper and lower case letters (az, AZ), numbers (0-9), and dots (.), space ( ), underscore (_), hyphen (-), and the @ character.
After the parsing rule has been stored, in subsequent processor creations you can reuse this rule by selecting Rule presets in the Pasing rule section.

PreviousProcessor NextGrok Patterns

Last updated 1 month ago