Clever Geek Handbook

Getting regex for grok filter?

I have a complex grok filter expression ... is it possible to get a regex so that this filter is converted to?

+3


source to share


1 answer


You can do this with a simple Perl script that reads the templates file and replaces the stuff with the %{PATTERN}

actual regex it's based on - you'll have to tweak it a bit, but it shows you how to do it:



#!/usr/bin/perl

# this is the path to your grok-patterns file
open(F,"patterns/grok-patterns");
while (<F>) {
  chomp;
  if (/^(\S+) (.*)/) {
    $pattern{$1} = $2;
  }
}
close(F);

# this is the grok pattern I want to expand
$pattern='%{IP:junk} %{COMBINEDAPACHELOG:junk2}';

while ($pattern =~ /(%\{([^:\}]+):?[^\}]*\})/) {
    $name = $2;
    substr($pattern,$-[0],$+[0]) = $pattern{$name};
}
print $pattern,"\n";
+2


source






More articles:


All Articles