Our Service
Other service

Grok Parser

Overview

Grok parser is a filter that helps analyze and structure unstructured data. Grok parser uses patterns to parse log data.

Configure Grok parser

To create a Grok parser configuration, follow the instructions below:

  1. In the Processor information section , enter general information for a processor according to the instructions at Processor . In this content, you will choose Processor type as Grok Parser .

  2. In the Parsing rule section , enter the following information:

2.1 Enter Source field : field contains logs that will need to be parsed.

2.2 Enter Target field : field will be overwritten in destination log project, normally you will not need to enter this information

2.3 Enter Rule pattern : contains grok pattern to match source field and parse out according to structure.

For example:

Source log project
Destination log project
Message (field logs mà chúng tôi thực hiện parser)
Rule pattern
Kết quả parser

webserver

webserver-parse

87.251.81.179 - 
- [01/Aug/2023:12:16:39 +0200] 
"GET /core/themes/theme.inc/?post
== HTTP/1.0" 200 63388

%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATHPARAM:request} HTTP/%{NUMBER:http_version}" %{NUMBER:response_code} %{NUMBER:response_size}

{ "request": "/core/themes/theme.inc/?post==", "MONTH": "Aug", "response_code": "200", "IPV6": null, "auth": "-", "HOUR": "12", "ident": "-", "IPV4": "87.251.81.179", "BASE10NUM": [ "1.0", "200", "63388" ], "http_version": "1.0", "TIME": "12:16:39", "URIQUERY": "post==", "INT": "+0200", "response_size": "63388", "http_method": "GET", "YEAR": "2023", "URIPATH": "/core/themes/theme.inc/", "USERNAME": [ "-", "-" ], "client_ip": "87.251.81.179", "MINUTE": "16", "SECOND": "39", "MONTHDAY": "01", "timestamp": "01/Aug/2023:12:16:39 +0200" }

3. In the Test rules section , enter the following information:

  • Enter Log samples as sample log lines so you can check if the rule pattern is parsed successfully.

  • Click Test your rules to see if the system parses successfully

Store and reuse Parsing rules

  • You can store a parsing rule by checking Save this rule , then entering a memorable name for the parsing rule you want to store. The mnemonic name has a minimum length of 5 characters, a maximum length of 255 characters and can only include upper and lower case letters (az, AZ), numbers (0-9), and dots (.), space ( ), underscore (_), hyphen (-), and the @ character.

  • After the parsing rule has been stored, in subsequent processor creations you can reuse this rule by selecting Rule presets in the Pasing rule section.

PreviousProcessorNextGrok Patterns

Last updated