Updated at: 2022-12-09 03:49:50
Grok parsing is a powerful tool for text parsing. Commonly expression: (? <name> matching rule), means that the value of the matching rule is named as the <name>. The following table shows the common symbols:
Currently, the following 2 methods to make Grok parsing are supported, both available at the same time:
• Manually fill in regular expression:
Example: Taking AnyShare access log as a log sample, the parsing rule need to extract the information of time, user, IP address, login details and other fields.
After manually filling in a regular expression, and click Verify. The contents corresponding to the field names in the parsed text are displayed in different colors and the parsing result can be viewed on the right side, as follows:
_24.png)
Note: For regular expression, the special characters including "[", "]", "(", ")", "{", "}", "?", ".", "s", "S", "d", "D", "w", "W", "", "*", "|" are required to be preceded by an escape character.
• Select fields: Automatically generate regular expression
Example: Taking the Agent Audit log as an example to extract the IP field from it, as follows:
1) Manually select the content of the field to be extracted. Here, select "180.171.33.167". In the field extraction window, customize the Field Name as "terminal";
2) Click OK to automatically generate a regular expression and verify it synchronously, and you can view the parsed result on the right side.
Note: The field name cannot be null, cannot start with @, _, or number, and cannot be duplicated with the system field name.
3) Hover over the selected field in the parsed text box to display Edit and Delete, and you can edit and delete the field by clicking on the icon, as follows:
| Symbol | Description |
| S | It means matching non-space characters |
| S+ | It means matching consecutive non-space characters |
| s | It means matching space |
| [^,]* | It means matching a field that is not ", " by 0 time or multiple times |
| d | It means matching data 0-9 |
| ? | It means matching 1 object |
| * | It means matching 0 object or more objects |
| + | It means matching 1 object or more objects |
• Manually fill in regular expression:
Example: Taking AnyShare access log as a log sample, the parsing rule need to extract the information of time, user, IP address, login details and other fields.
After manually filling in a regular expression, and click Verify. The contents corresponding to the field names in the parsed text are displayed in different colors and the parsing result can be viewed on the right side, as follows:
Note: For regular expression, the special characters including "[", "]", "(", ")", "{", "}", "?", ".", "s", "S", "d", "D", "w", "W", "", "*", "|" are required to be preceded by an escape character.• Select fields: Automatically generate regular expression
Example: Taking the Agent Audit log as an example to extract the IP field from it, as follows:
1) Manually select the content of the field to be extracted. Here, select "180.171.33.167". In the field extraction window, customize the Field Name as "terminal";
2) Click OK to automatically generate a regular expression and verify it synchronously, and you can view the parsed result on the right side.Note: The field name cannot be null, cannot start with @, _, or number, and cannot be duplicated with the system field name.3) Hover over the selected field in the parsed text box to display Edit and Delete, and you can edit and delete the field by clicking on the icon, as follows:
< Previous:
Next: >