Grok Parser
Last updated
Last updated
Address
VNG CorporationGrok parser is a filter that helps analyze and structure unstructured data. Grok parser uses patterns to parse log data.
To create a Grok parser configuration, follow the instructions below:
In the Processor information section , enter general information for a processor according to the instructions at Processor . In this content, you will choose Processor type as Grok Parser .
In the Parsing rule section , enter the following information:
2.1 Enter Source field : field contains logs that will need to be parsed.
2.2 Enter Target field : field will be overwritten in destination log project, normally you will not need to enter this information
2.3 Enter Rule pattern : contains grok pattern to match source field and parse out according to structure.
For example:
webserver
webserver-parse
%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:response_size}
{ "request": "/core/themes/theme.inc/?post==", "MONTH": "Aug", "response_code": "200", "IPV6": null, "auth": "-", "HOUR": "12", "ident": "-", "IPV4": "87.251.81.179", "BASE10NUM": [ "1.0", "200", "63388" ], "http_version": "1.0", "TIME": "12:16:39", "URIQUERY": "post==", "INT": "+0200", "response_size": "63388", "http_method": "GET", "YEAR": "2023", "URIPATH": "/core/themes/theme.inc/", "USERNAME": [ "-", "-" ], "client_ip": "87.251.81.179", "MINUTE": "16", "SECOND": "39", "MONTHDAY": "01", "timestamp": "01/Aug/2023:12:16:39 +0200" }
3. In the Test rules section , enter the following information:
Enter Log samples as sample log lines so you can check if the rule pattern is parsed successfully.
Click Test your rules to see if the system parses successfully
You can store a parsing rule by checking Save this rule , then entering a memorable name for the parsing rule you want to store. The mnemonic name has a minimum length of 5 characters, a maximum length of 255 characters and can only include upper and lower case letters (az, AZ), numbers (0-9), and dots (.), space ( ), underscore (_), hyphen (-), and the @ character.
After the parsing rule has been stored, in subsequent processor creations you can reuse this rule by selecting Rule presets in the Pasing rule section.